Securing .NET Applications: OWASP Top 10 in 2020

The OWASP Top 10 is the standard list for web application security, but applying it to .NET requires understanding some specific patterns where .NET developers commonly stumble.

SQL injection in the ORM era

SQL injection is less common in 2020 because ORMs (Entity Framework, Dapper with parameterised queries) handle parameterisation by default. It re-emerges when: developers use raw SQL with string concatenation in EF Core's FromSqlRaw, when stored procedures are called with string-interpolated parameters, or when dynamic query construction uses user input. The mitigation: FromSqlInterpolated (safe interpolation), parameterised queries in Dapper, and code review policies that flag string concatenation in SQL contexts.

Broken authentication and .NET Identity

ASP.NET Core Identity provides a well-tested authentication framework. Common configuration errors: not enforcing password complexity requirements, not enabling account lockout after failed attempts, using cookie authentication without anti-forgery tokens for state-changing operations, and not setting the Secure and HttpOnly flags on authentication cookies. The ASP.NET Core Data Protection system handles cookie encryption; the defaults are secure if not overridden.

Sensitive data exposure

ASP.NET Core provides: HTTPS redirection middleware, HSTS headers, and Data Protection for encrypting sensitive fields at rest. The common gaps: connection strings in appsettings.json in source control, personally identifiable information in application logs, stack traces exposed to end users, and unencrypted PII in database columns. The mitigation: Azure Key Vault for secrets, Serilog's destructuring policies to redact PII from logs, and custom error pages that do not expose exception details.

Security misconfiguration in ASP.NET Core

Common ASP.NET Core security misconfigurations: CORS configured to allow all origins (app.UseCors with AllowAnyOrigin), developer exception pages enabled in production, X-Powered-By headers exposing the .NET version, and debug endpoints accessible in production. The checklist: use environment-specific configuration, disable detailed error pages in production, use the security header middleware (NWebSec or SecurityHeaders package) to add Content-Security-Policy and related headers.