1. Start Visual Studio and click on File | New| Project... and create a new Visual C# | Web | ASP.NET Web Application with the Web Forms template, say WebApplication:

2. Install the Puma.Security.Rules analyzers NuGet package (at the time of writing, the latest stable version is 1.0.4). For guidance on how to search and install analyzer NuGet package to a project, refer to the recipe, Searching and installing analyzers through the NuGet package manager, in Chapter 2, Consuming Diagnostic Analyzers in .NET Projects.
3. Select Web.config in the solution explorer and change its build action from Content to AdditionalFiles using the Properties window and save the project:

4. Open Web.config in the editor and replace existing system.web XML element with the following XML. You can read more about system.web XML element at https://msdn.microsoft.com/en-us/library/dayb112d(v=vs.100).aspx.

<system.web>
  <compilation debug="false" targetFramework="4.6.2" />
  <customErrors mode="Off" defaultRedirect="/home/error"/>
  <httpRuntime enableHeaderChecking="false" enableVersionHeader="true" />
  <httpCookies requireSSL="false" httpOnlyCookies="false"/>
  <pages enableEventValidation="false" enableViewStateMac="false" viewStateEncryptionMode="Never" validateRequest="false" />
  <authentication mode="Forms">
    <forms loginUrl="~/Account/Login.aspx" timeout="900" enableCrossAppRedirects="true" protection="None" />
  </authentication>
</system.web>

5. Build the project in Visual Studio or command line and verify that you get following SECXXXX warnings from the PUMA scan analyzer:

1>CSC : warning SEC0014: Insecure HTTP cookies C:WebApplicationWeb.config(11): <httpCookies requireSSL="false" httpOnlyCookies="false" />
1>CSC : warning SEC0015: Cookies accessible via script. C:WebApplicationWeb.config(11): <httpCookies requireSSL="false" httpOnlyCookies="false" />
1>CSC : warning SEC0003: Forms authentication does not set requireSSL to true. C:WebApplicationWeb.config(14): <forms loginUrl="~/Account/Login.aspx" timeout="900" enableCrossAppRedirects="true" protection="None" />
1>CSC : warning SEC0004: Forms authentication does not set the cookieless attribute to UseCookies. C:WebApplicationWeb.config(14): <forms loginUrl="~/Account/Login.aspx" timeout="900" enableCrossAppRedirects="true" protection="None" />
1>CSC : warning SEC0006: Forms authentication cookie protection attribute is not set to All. C:WebApplicationWeb.config(14): <forms loginUrl="~/Account/Login.aspx" timeout="900" enableCrossAppRedirects="true" protection="None" />
1>CSC : warning SEC0007: Forms authentication timeout value exceeds the policy of 30 minutes. C:WebApplicationWeb.config(14): <forms loginUrl="~/Account/Login.aspx" timeout="900" enableCrossAppRedirects="true" protection="None" />
1>CSC : warning SEC0005: Forms authentication does not set the enableCrossAppRedirects attribute to false. C:WebApplicationWeb.config(14): <forms loginUrl="~/Account/Login.aspx" timeout="900" enableCrossAppRedirects="true" protection="None" />
1>CSC : warning SEC0002: Custom errors are disabled. C:WebApplicationWeb.config(9): <customErrors mode="Off" defaultRedirect="/home/error" />
1>CSC : warning SEC0008: HTTP header checking is disabled. C:WebApplicationWeb.config(10): <httpRuntime enableHeaderChecking="false" enableVersionHeader="true" />
1>CSC : warning SEC0009: The Version HTTP response header is enabled. C:WebApplicationWeb.config(10): <httpRuntime enableHeaderChecking="false" enableVersionHeader="true" />
1>CSC : warning SEC0010: Event validation is disabled. C:WebApplicationWeb.config(12): <pages enableEventValidation="false" enableViewStateMac="false" viewStateEncryptionMode="Never" validateRequest="false" />
1>CSC : warning SEC0012: Validate request is disabled. C:WebApplicationWeb.config(12): <pages enableEventValidation="false" enableViewStateMac="false" viewStateEncryptionMode="Never" validateRequest="false" />
1>CSC : warning SEC0013: Pages ViewStateEncryptionMode disabled. C:WebApplicationWeb.config(12): <pages enableEventValidation="false" enableViewStateMac="false" viewStateEncryptionMode="Never" validateRequest="false" />
1>CSC : warning SEC0011: ViewStateMac is disabled. C:WebApplicationWeb.config(12): <pages enableEventValidation="false" enableViewStateMac="false" viewStateEncryptionMode="Never" validateRequest="false" />

6. Replace the system.web XML element in the Web.config file with the following contents (changes are highlighted in bold):

<system.web>
  <compilation debug="false" targetFramework="4.6.2" />
  <customErrors mode="On" defaultRedirect="/home/error"/>
  <httpRuntime enableHeaderChecking="true" enableVersionHeader="false" />
  <httpCookies requireSSL="true" httpOnlyCookies="true"/>
  <pages enableEventValidation="true" enableViewStateMac="true" viewStateEncryptionMode="Always" validateRequest="true" />
  <authentication mode="Forms">
    <forms loginUrl="~/Account/Login.aspx" timeout="15" enableCrossAppRedirects="false" protection="All" requireSSL="true" cookieless="UseCookies" />
  </authentication>
</system.web>

7. Build the project again and verify it compiles without any security warnings.