Checklist of steps to secure asp.net web application? [closed]

Answer 1

Top Ten Security Threads
How To: Prevent Cross-Site Scripting in ASP.NET
How To: Protect From Injection Attacks in ASP.NET
How To: Protect From SQL Injection in ASP.NET
How To: Use Regular Expressions to Constrain Input in ASP.NET

After I reading above articles,
I summarized way of preventions by using asp.net technologies, and Entity Framework.

Injection Compliance
-Enable Asp.net request validation in asp.net web config file.
-Turn on custom error mode in asp.net web config file.
-Use server-side input validation controls to constrain inputs.
-Validate length, range, format and type for every inputs to system.
-Use strong data typing.
-Encode every free-text fields and unsafe output using HttpUtility.HtmlEncode.
-Validate file paths using System.IO.Path.GetFileName and System.IO.Path.GetFullPath.
-Use Request.MapPath to map a supplied virtual path to a physical path on the server.
-Prevent SQL injection attack by using Linq to Entities query syntax.

Broken Authentication and Session Management Compliance
-Use salted hash method for user's sensitive data.
-Use SSL/TLS protocol for every credentials data.
-Defined session timeout properly.

Cross-Site Scripting (XSS) Compliance
-Use regular expressions to constrain critical input fields in ASP.NET.
-Use ASP.net RegularExpressionValidator and RangeValidator to constrain server side input controls.
-Encode every inputs from the user or from other sources such as databases.

Insecure Direct Object References Compliance
-Give only specific user/group access your project and its related folders.

Security Misconfiguration Compliance
-Show only custom error message to user.

Sensitive Data Exposure Compliance
-Use modern cryptographic algorithms to encrypt all sensitive data.

Missing Function Level Access Control Compliance
-Make sure that your system menu and program list are populated based on user authorization level.
-Make sure that your system check before response to user request if it is valid for him\her.

Cross-Site Request Forgery (CSRF) Compliance
-Use CAPTCHA Image to ensure that the request is not generated by a computer.
-Use CSRF Token to ensure that the specific page which sent request(s) to your sever is created only by your server.

Using Known Vulnerable Components Compliance
-Always keep components/libraries update.

Unvalidated Redirects and Forwards Compliance
-Make sure that your system always check if URL and its parameters are valid or not, before it is redirected.