Secure ASP.NET
Thinking About Security
By Don Kiely
Over the last couple of weeks I ve worked on a few projects that have again reminded me of something that I ve contemplated periodically about ASP.NET security. The first project was a class I taught all last week. It was mostly about Visual Basic 2005 for a group of long-suffering VB6 developers, but we touched on ASP.NET topics, as well. On Friday we brown-bagged lunch and had an open discussion, during which I was able to pontificate about security, both for Windows and Web forms applications. Another project was a book review of Microsoftie Stefan Schackow s excellent Professional ASP.NET 2.0 Security, Membership, and Role Management from Wrox Press. Yet another project was thinking about abstracts on security topics to propose for spring conferences, such as DevConnections in Orlando. I deal with security issues constantly as a moderator of the http://www.asp.net forums since I tend to hang out and moderate in the Security forum, along with some other folks who never cease to amaze me with their creative thinking (and tolerance of users who insist on posting to inappropriate forums!).
I think that when you say ASP.NET security to developers it means different things to different people. I tend to think about it in terms of creating a Web site that is resistant to attacks, both known, established attacks, as well as those we don t know about yet. My way of thinking tends to be about how to protect resources from the bad guys and maybe even unintentional goofs by honest users. That s why I monitor lists such as the SANS Internet Security Storm Center, the Open Web Application Security Project s (OWASP) .NET Project, and many others, including security-related blogs. I ll call this the lockdown mindset, something often thought about only after the Web site has been hacked.
But there is another perspective, fostered by some of the infrastructure features Microsoft put into early versions of ASP.NET and greatly enhanced in version 2.0. These are the features that let you manage access to a Web site, such as membership and role management and support for various kinds of authentication and the associated authorization. I think a lot of developers think about these features alone when they think about security. Which means that they aren t thinking about locking down the Web site and protecting resources, but more about giving structured access to the site. I ll call this the access mindset.
Neither way of thinking is inherently bad, it s just that both are necessary for a real-world Web site. The lockdown mindset focuses on keeping unwanted visitors from getting into the site. The access mindset focuses on letting authorized visitors do what they are allowed to do and no more. It is all too tempting (and I ve been tempted as well) to implement a robust membership provider and fall into the delusion that the site is secure. It may be secure against a small number of threats easy access by unauthorized users through regular access channels but is far from being a secure site. There are just too many clever attackers out there who will do end runs around the way you might think someone will access the site.
Microsoft has become a major proponent of threat modeling, a formalized way of thinking about how an application or system might be attacked, and thinking through how susceptible it is to various threats. It even has a design tool to help, a cool Threat Modeling Tool that helps categorize and review threats. It always seems like such overkill to do this kind of analysis for small projects until the application is hacked. Then it feels like time well spent.
My message for this month comes from my realization that different people think about security in different ways. But when you re developing a Web site, you can t stop at implementing ASP.NET s cool membership and role management features. There is a whole lot more to building a secure site, and I ll continue exploring those topics in this column.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
