Title of Barry Dorrans' book "Beginning ASP.NET Security" is not quite inline with the contents of the book I would think. I would at least make the title 'Intermediate'. Because you may see some eyes roll, when you see "Beginner's..." in the title. However given that securing applications is a journey, rather than the destination, maybe he has a valid point.
Mr. Dorrans does a very thorough job covering many and various aspects of web security. First chapter opens up with a defaced web site and a list "do's", such as never trusting input, failing gracefully (not giving any useful information such as stacktrace), watching and logging actions, and using the least privilege principles while running the applications. Lot of times, I hear "we use SSL, we are secure". Such naive developer should really consider reading this book.
Chapter 2 explains how the web works, and this is totally beginner's chapter, but still a great refresher. Introduces Fiddler2, Tracing in asp.net, the ASP.NET pipeline and web forms. Chapter 3 is about user input. I have read the book "Writing Secure Code" and very glad to see Mr. Dorrans's referencing of this book in the second paragraph. Goes on to introduce cross-site scripting attack and protection of cookies, the out-of-the box Validation controls which classic ASP.NET offers.
Chapter 4 extends the user input validation in forms of query strings, form fields, events and such, and the main take away is the CSRF (Cross-site request forgery) attack. Enjoyed reading the section of writing an HTTP module to protect against CSRF attacks which is a few pages long. Chapter 5 dives into ViewState, validating it, encrypting it. Error handling and logging, exception handling, and WMIare precious gems to take away from this chapter as well.
Chapter 6 is about hashing and encryption. Then goes in depth with salting, storing passwords, types of encyrption which are very inline with the next chapter, about user names and passwords. The authentication and authorization are discussed. Chapter 8 is securing database access, and the well-known SQL-injection attack followed by another chapter on filesystem security. The fileupload control for asp.net is introduced.
Chapter 10 is about XML security, validating, parsing, querying and xpath injection. Really enjoyed the short to the point code snippets in this chapter. Another take away is signing and encrypting an XML document using X509 certificate.
Part III (the remaining chapters) are getting further closer to the metal and relatively new technologies (.NET 3.0 and up). WCF, RIA (Ajax) and CAS are discussed in detail in chapter 11, 12, and 13. I would think in the next release CAS is going to be revised for .NET 4. Chapter 14 is about IIS security, logging etc. Chapter 15, 3rd party authentication was quite welcome these days, really enjoyed the Open-ID introduction and examples around it. The final chapter is about security in the ASP.NET MVC framework, securing controller actions, anti-forgery token for XSS, and using filters to custom authorization which I am actively using in current project.
Really enjoyed reading this book. Covers many aspects of security in various technologies,areas offered by ASP.NET. Highly recommend any developer who is actively developing web pages utilizing the .NET stack.