Fixing Security issues raised by Veracode in .NET Core MVC

Mayur Lohite Mayur Lohite in Technology
14 Mar 2026 2 min read
Fixing Security issues raised by Veracode in .NET Core MVC

Fixing Security issues raised by Veracode in .NET Core MVC

Static Analysis tools like Veracode don’t just point out problems they force us to write better, safer code.

In .NET Core MVC projects, I often see the same security issues repeated, especially in fast-moving teams.

Here are 3 real Veracode scenarios I’ve fixed recently and how you can fix them too:

1. SQL Injection (Even When You Think You’re Safe)
Veracode Finding:
Improper Neutralization of Special Elements used in an SQL Command
Real Scenario:
Developers build queries dynamically using string concatenation:

var query = "SELECT * FROM Users WHERE Email = '" + email + "'";Even if input looks harmless, Veracode will flag it.

Fix (Best Practice):
Always use parameterized queries or LINQ (Entity Framework or other ORM):

var user = _context.Users
            .FirstOrDefault(u => u.Email == email);

Result: Secure + clean + Veracode -> Approved.

2. Cross-Site Scripting (XSS) in Razor Views
Veracode Finding:
Improper Neutralization of Script-Related HTML Tags
Real Scenario:
User input is directly rendered in Razor view:

@Model.Comments
If malicious script sneaks in, your UI becomes an attack surface.

Fix:
Let Razor auto-encode OR explicitly encode:

@Html.Encode(Model.Comments)

Or ensure data is sanitized before saving to DB. Defense in depth wins every time.

3. Insecure Cookie & Authentication Settings
Veracode Finding:
Sensitive Data Stored in Insecure Cookie
Real Scenario:
Authentication cookies not marked secure in production.

Fix in Startup / Program.cs:

services.ConfigureApplicationCookie(options =>
{
    options.Cookie.HttpOnly = true;
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.Cookie.SameSite = SameSiteMode.Strict;
});

This single fix often clears multiple Veracode findings at once.

Whats the conclusion:

Veracode isn’t “blocking your build” -> it’s training your codebase.
-> Avoid string-based SQL, user ORM or paramterized queries.
-> Trust Razor’s encoding (but verify)
-> Lock down cookies & authentication
-> Think like an attacker, code like a defender

Security isn’t a phase. It’s a habit.


Notice Inappropriate?

If you come across any inappropriate content, please report it to our administrators!

 
Report It!
author avatar

I'm a Founder, programmer, and a web developer with a keen interest in web application security and penetration testing. I've been obsessed with building and breaking web applications since I was a child. As a result, I decided to pursue a career in infor...

Website Facebook Instagram LinkedIn

Related Posts

Leave a Reply

Please login to post comments.