Hacking the Code: Auditor's Guide to Writing Secure Code for the Web

In my never ending attempt to educate myself on web application security I thought it would be a great idea to look at this from the developer perspective. This text is a great piece on the ASP.NET side of development and security. It does a great job of showing what the developer may normally code and why that is NOT security oriented. It is a great tool for bridging the gap between security team and developer team so that you can speak intelligently on both even though you are NOT a developer or security professional. If you have an ASP.NET dev shop in your environment you should have someone if not everyone from your dev and security teams read this book to facilitate a more open line of commination between the two. Highly recommended.

Personally I work as a penetration tester, so Hacking the Code was right up my alley. I read the book over the course of a day, stuck at an airport. (...)Mark has a certain way of showing information to the reader in a very clear and thought-out manor. Content of the book may be of highly technical nature but it is very easy to read (a rare mix). By the end of the book I felt like I knew everything about ASP, its amazing how much there really is to know. If you work in the security industry then this book is a must, however, if you are a developer, webmaster or even someone curious about code security, READ IT. Highly recommend

This is a great book with a lot of really good ideas on improving ASP.NET applications and ASP.NET security. The book is organized into "ideas" which can help secure an ASP.NET (or really any) application. Beneath each idea is a list of what type of threats the specific idea mitigates, followed by the actual ASP.NET implementation. One thing I really liked about this book is that it's presented in a way which helps illustrate how hackers could infiltrate your web applications. I found this to be very effective in driving home a security lesson. The book is organized into ten different sections on aspects of ASP.NET security, which range from user management (which includes how to handle user names, passwords, and the like) to developing applications with security in mind (which includes issues like cross-site scripting attacks and error logging). Many sites with user management features provide a "Secret Question", which is used in case you forget your password. The secret questions often include questions like "What is the name of your favorite pet?" or "What city were you born in?". The book goes on to show that the secret question concept goes against everything security experts have been saying by demonstrating how hackers can use brute-force attacks along with educated guesses to gain unauthorized access. This book even discussed connection string issues and encryption in config files, which is an issue I am currently struggling with. Code examples are provided for all of the ideas presented, which are generally quite clever in and of themselves. If you are serious about improving the security in your ASP.NET applications, then do yourself a favor and read this book. I think you will find it was time well-spent.

I picked up this book after briefly meeting Mark Burnett at Blackhat this year. I've got to say it is really well written, well laid out and covers off all the major .NET issues in impressive detail. I review web application security for a living and I still learnt a thing or two :) The way in which he covers each of the common web programming flaws means it would still be useful to those who aren't already familiar with the details of application security. By using a lot of useful code examples, and the excellent summary sections make it a good reference book which will stay handy on my shelf for a long while.

I can't say enough good things about Mark Burnett's book Hacking the Code. From beginning to end it is a great read and a great resource. What impressed me from the beginning is how he was able to take such a wide range of difficult topics and make them sound so down to earth. The writing style is so polished and friendly that you almost forget that you are reading about pretty intensive topics. I was continually impressed at how well formatted the book was. Now, that almost seems unimportant to mention but it's not. Each section gives the goals of that section, the topic thoroughly covered, and then a summary, worth reading I must add, to close off the section. This impressed me because it is easy to read this from cover to cover and quickly grasp the subject matter. Or, if you are reviewing the section, you can use the summary to be reminded of the key points. VB.Net and C# code examples are plentiful, completely usable and easy to understand. This book is a must read. Even with the topics that I already had a good handle on, I felt that I was continually picking up new pieces of information and being challenged to review the security I already had in place. Hacking the Code is an easy read covering difficult topics in a consistent, complete and concise manner. I highly recommend this book without reservation.