This chapter discusses the details of how to build secure ASP.NET MVC web applications, including guidance on how to secure web applications; the differences that need to be taken into account when securing Internet, intranet, or extranet applications; as well as how to take advantage of functionality built right into the .NET Framework that can help prevent the common security issues that most web applications face.
Benjamin Franklin once said that “an ounce of prevention is worth a pound of cure.” This statement conveys the philosophy that you should embrace when it comes to securing your web applications: the world is a dangerous place and web applications often represent attractive targets for would-be attackers, so you’re going to want to be prepared.
Unfortunately, there are no silver bullets when it comes to web application security. It isn’t as simple as including a library or making a method call. Security is something that needs to be baked into an application right from the start and not an afterthought that is tacked on at the last minute.
There are, however, a few security principles that we will explain over the next few sections that can have a great impact on creating more secure ASP.NET MVC web applications. If you keep these principles in mind as you design and implement your web applications, you have a much greater chance of avoiding some of the more common and serious security mistakes.
Just because ...