Common vulnerabilities for WinForms applications

Posted by David Stratton on Stack Overflow See other posts from Stack Overflow or by David Stratton
Published on 2012-07-05T14:39:46Z Indexed on 2012/07/05 15:16 UTC
Read the original article Hit count: 889

Filed under:
|
|

I'm not sure if this is on-topic or not here, but it's so specific to .NET WinForms that I believe it makes more sense here than at the Security stackexchange site.

(Also, it's related strictly to secure coding, and I think it's as on-topic as any question asking about common website vulnerabiitles that I see all over the site.)

For years, our team has been doing threat modeling on Website projects. Part of our template includes the OWASP Top 10 plus other well-known vulnerabilities, so that when we're doing threat modeling, we always make sure that we have a documented process to addressing each of those common vulnerabilities.

Example:

SQL Injection (Owasp A-1)

  • Standard Practice
    • Use Stored Parameterized Procedures where feasible for access to data where possible
    • Use Parameterized Queries if Stored Procedures are not feasible. (Using a 3rd party DB that we can't modify)
    • Escape single quotes only when the above options are not feasible
    • Database permissions must be designed with least-privilege principle
    • By default, users/groups have no access
    • While developing, document the access needed to each object (Table/View/Stored Procedure) and the business need for access.
    • [snip]

At any rate, we used the OWASP Top 10 as the starting point for commonly known vulnerabilities specific to websites.

(Finally to the question)

On rare occasions, we develop WinForms or Windows Service applications when a web app doesn't meet the needs. I'm wondering if there is an equivalent list of commonly known security vulnerabilities for WinForms apps.

Off the top of my head, I can think of a few....

  • SQL Injection is still a concern
  • Buffer Overflow is normally prevented by the CLR, but is more possible if using non-managed code mixed in with managed code
  • .NET code can be decompiled, so storing sensitive info in code, as opposed to encrypted in the app.config...

Is there such a list, or even several versions of such a list, from which we can borrow to create our own? If so, where can I find it?

I haven't been able to find it, but if there is one, it would be a great help to us, and also other WinForms developers.

© Stack Overflow or respective owner

Related posts about .NET

Related posts about winforms