With .NET 5 released in November, it’s a good time to talk about some of the many improvements in the networking stack. This includes improvements around HTTP, Sockets, networking-related security, and other networking primitives. In this post, I will highlight some of the more impactful and interesting changes in the release. 

Issues Fixed in 15.9.22

• VS2017 C++ sometimes set wrong exception frame.

Security Advisory Notices

• Microsoft Visual Studio Elevation of Privilege Vulnerability
• Visual Studio Extension Installer Service Elevation of Privilege Vulnerability
• Git for Visual Studio Credential Leak Vulnerability due to insufficient validation on URLs 

Issues Fixed in 15.9.19

• Fixed an issue in C++ optimizer where the impact of writing to unknown memory inside a call wasn’t properly accounted for in the caller.

Security Advisory Notices

• ASP.NET Core Denial of Service Vulnerability
• ASP.NET Core Remote Code Execution Vulnerability

Issues Fixed in 15.9.16

• Assembly does not match code for function
• System.InvalidProgramException: Common Language Runtime detected an invalid program. when instrumenting x64 projects
• Cross-EH mode inlining of noexcept code produces unexpected behavior
• Corrected issue with HTML Help Workshop failing to repair.

Security Advisory Notices

• Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
• Denial of Service Vulnerability in .NET Core

The most popular Blockchain network at this moment is Bitcoin. It is a digital currency that has no central authority. Proof of Work allows Bitcoin to maintain security and validity without a middleman, bank. However, the price is a lot of computing time, therefore a lot of electricity. 

Phishing can happen to anyone, and hackers know that. What could happen if someone compromised your git repo? How about your email? FIDO security keys are awesome at preventing phishing. This talk explains how they work, how they can protect you, and what you can implement to protect your users. 

• Functional Defects
• Problems with the logic
• Missing Validation (e.g., edge cases)
• Usage of API
• Design Patterns
• Architectural Issues
• Testability
• Readability
• Security
• Naming conventions
• Team Coding Style
• Documentation
• Use of best practices
• Language-specific issues
• Use of deprecated methods
• Performance (e.g., complexity of the solution)
• Alternative solutions… 

NetEscapades.AspNetCore.SecurityHeaders 

A small package to allow adding security headers to ASP.NET Core websites. example :   

public void Configure(IApplicationBuilder app)
{
    var policyCollection = new HeaderPolicyCollection()
        .AddFrameOptionsDeny()
        .AddXssProtectionBlock()
        .AddContentTypeOptionsNoSniff()
        .AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365) // maxage = one year in seconds
        .AddReferrerPolicyStrictOriginWhenCrossOrigin()
        .RemoveServerHeader()
        .AddContentSecurityPolicy(builder =>
        {
            builder.AddObjectSrc().None();
            builder.AddFormAction().Self();
            builder.AddFrameAncestors().None();
        })
        .AddCustomHeader("X-My-Test-Header", "Header value");
    
    app.UseSecurityHeaders(policyCollection);
    
    // other middleware e.g. static files, MVC etc  
}

10 Points to Secure Your ASP.NET Core MVC Applications 

Broken authentication and session management

Sensitive Data Exposure & Audit trail

Cross-Site Scripting (XSS) attacks

Malicious File Upload

Security Misconfiguration (Error Handling Must Setup Custom Error Page)

Version Discloser

Cross-Site Request Forgery (CSRF)

XML External Entities (XXE)

Insecure Deserialization

SQL Injection Attack