OWASP · jmanico · Mar 6, 2024 · Mar 4, 2024 · Mar 6, 2024 · Mar 6, 2024
diff --git a/cheatsheets/DotNet_Security_Cheat_Sheet.md b/cheatsheets/DotNet_Security_Cheat_Sheet.md
@@ -794,6 +794,12 @@ DO NOT: Send unsigned or unencrypted serialized objects over the network
 DO: Perform integrity checks or validate digital signatures on serialized
 objects received from the network
 
+DO NOT: Use the BinaryFormatter type which is dangerous and [not recommended](https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide) for data processing.
+.NET offers several in-box serializers that can handle untrusted data safely:
+- XmlSerializer and DataContractSerializer to serialize object graphs into and from XML. Do not confuse DataContractSerializer with NetDataContractSerializer.
+- BinaryReader and BinaryWriter for XML and JSON.
+- The System.Text.Json APIs to serialize object graphs into JSON.
+
 ### A09 Security Logging and Monitoring Failures
 
 DO: Ensure all login, access control, and server-side input validation failures are logged with sufficient user context to identify suspicious or malicious accounts.