Secure ASP.NET
LANGUAGES: ALL
ASP.NET VERSIONS: 2.0
Security Updates, News, and Resources
By Don Kiely
One of the nice things about being a Microsoft MVP with the Visual Developer - Security competency is that I get exposed to a lot of cool and scary security information and updates. There have been a lot of things come my way in the last month that will be of interest to anyone concerned about Web application and general security, so I m going to use this column to clear my desk of important stuff that doesn t yet justify a whole column.
ASP.NET and Shared Hosting
ASP.NET was practically designed for creating Web apps that can peacefully and safely co-exist on shared servers. Version 1.x of the .NET Framework made it possible and version 2.0 made it almost easy, but providing a secure environment still takes some work and diligence by the hosting company. Kevin Kenny on his blog (http://blog.zygonia.net/PermaLink,guid,7e068a80-e08b-44a9-83b0-efe7e4223ba1.aspx) recently told the story of some scary things he found on his shared host: He could read web.config and other files with almost no restriction!
He makes one minor error in the blog entry, saying that using an OLE DB .NET provider requires full trust. It doesn t, but it does require the deadly UnmanagedCode permission that lets code call COM objects and other code outside the safe CLR environment. Any code that has this permission may as well have full trust.
Security Training and other Resources
Microsoft s Brian Goldfarb recently blogged with a list of great security resources for ASP.NET developers (http://blogs.msdn.com/bgold/archive/2006/02/27/540264.aspx). Most importantly he points to some security training modules published by Microsoft s Channel 9 folks (http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.SecurityTrainingModules). The only module up as I write this is for Input and Data Validation, but the list looks interesting.
The Web Application Security Engineering Index link (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WebAppSecurityEngIndex.asp) is a collection of some of the first material that will no doubt increase as security issues become increasingly important. As a Civil Engineer by education, I m convinced that software security is an area that is ripe for treatment with a disciplined engineering approach. Not the loose kind of software engineering practiced all too often these days, but the discipline developed in the engineering profession for hundreds of years.
A great place to start for a security code review is what Brian calls the security Cheat Sheet, the Patterns and Practices Group s Security Question List: ASP.NET 2.0 (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGQuestionList0001.asp).
Threat Modeling Torpedo
This item will only be of interest to you if you re into threat modeling or if you ve heard mention of it enough times to be curious about what it s all about. Microsoft recently released beta 2 of version 2.0 of its Microsoft Threat Analysis & Modeling, code named ACE Torpedo. This interesting tool helps you take a systematic look at the security problems in an application of any type that you re developing. It isn t for the faint of heart or threat modeling novices, but with a little learning and a detail-oriented demeanor you may end up with much more secure applications. You can download it (http://www.microsoft.com/downloads/details.aspx?familyid=aa5589bd-fb2c-40cf-aec5-dc4319b491dd&displaylang=en) or simply Google Microsoft Threat Analysis & Modeling to find it if the link happens to go bad.
I still haven t decided whether the tool will really help make applications more secure or if it will just help you look like you are more secure, but it s cool nonetheless.
Aaron Margosis Is Blogging Again!
Microsoft s own least privilege guru is blogging again! (http://blogs.msdn.com/aaron_margosis/default.aspx) This is one of the best blogs around on running Windows using a Least-privilege User Account (LUA), as it s called in Vista. Aaron has written some nice utilities to help run and survive as a non-administrative account, and he has a clear way of explaining how to accomplish things and how to develop more secure apps. His ongoing series Fixing LUA Bugs is mandatory reading. He s currently working on a tool for eradicating LUA bugs, called LUA BugLight. I ve seen him do a demo, and it will be a sweet security tool when it s done.
Code Room Hits Las Vegas
It s mildly cheesy, but fun nonetheless. The Code Room is an MSDN TV feature, and their most recent episode dramatizes a somewhat-real-world hacking binge on a Las Vegas casino and the Security A Team that rides to the rescue (http://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20060223CodeRoom3/manifest.xml).
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
