The Definitive Guide to ASP.NET Security
By Don Kiely
I don t know how I missed this for so long, but last week a new ASP.NET security book came to my attention. I m happy to announce that the book, released late last year, finally fills the void for a definitive guide to writing secure ASP.NET 2.0 applications. The book is Developing More-Secure Microsoft ASP.NET 2.0 Applications, written by my fellow Visual Developer-Security MVP, Dominick Baier. Dominick inherited the security courseware originally developed by Keith Brown at Developmentor, and has taken security education to the next level and into the .NET Framework 2.0 world.
If you care about building secure ASP.NET applications, you need to have a copy of this book: Read it carefully and then have it handy on your shelf near your development workstation. The book can t possibly cover everything you need to know about security in its 400+ pages, but it has plenty of good information, coherent descriptions, and interesting code to help you think correctly about ASP.NET security and how to properly implement ASP.NET security features.
Okay, enough gushing. What is so great about this book? A walk through the table of contents gives you an idea about what you re in for. I like that the first chapter covers the Top 10 Web vulnerability list from the Open Source Web Applications Security Project (OWASP). Last updated in 2004, this is a fine start to thinking about secure Web sites developed in any technology. The list includes things like unvalidated input, cross-site scripting, improper error handling, and insecure application configuration. The rest of the book doesn t exactly follow the list point-by-point to explain how to remove these vulnerabilities from your site. However, by the time you ve read the book you ll understand how ASP.NET provides the tools you need to do so.
The second chapter covers the important parts of the architecture of ASP.NET that you need to understand in order to hook into ASP.NET s security features. Most important of all is the discussion of the pipeline that IIS and ASP.NET uses to handle requests, including HTTP modules you can use to hook into and customize the pipeline for various security features.
The rest of the book covers the important elements of secure ASP.NET applications. The conceptual descriptions are clear and interesting, with lots of good code examples when appropriate. Here is where the book shows a weak side: some of the techniques described and demonstrated are decidedly not for ASP.NET novices, probing as they do some of the more advanced features of Web development that aren t needed by all applications. So if you re relatively new to ASP.NET, don t let yourself get bogged down in these advanced discussions. Read them lightly, absorb the overall concepts, and then come back to study them in detail when you encounter a situation where they come in handy for securing your site.
In particular, the Authentication and Authorization chapter is long and goes way deeper into custom techniques than most Web developers will need for most applications. But it is great knowing that you can break out of the standard ASP.NET patterns when you need to, without risking new vulnerabilities. Don t let this part of the book cause you to give up on security because it seems too hard or complex.
The best chapter in the book is Partial Trust ASP.NET. This is a technique that far too few ASP.NET developers use, yet it is a simple way to protect your application and Web server from many of the worst and most common attacks. The chapter doesn t stop at describing how to create a custom trust level. It goes way deeper, into partitioning code and creating custom permissions. This should be required reading for all ASP.NET developers.
The tenth and last chapter breaks away from the mold of the rest of the book. Written by some folks from Foundstone, a unit of McAfee that helps companies respond to security demands, it covers a bunch of useful Web security and analysis tools. For example, if you ve never played with Microsoft s Fiddler you should download a copy and see the kind of information it provides about Web requests. Each tool gets way too little detail in the book, but at least you have a resource you can turn to when working on specific problems.
I ve read the book from cover to cover, and it is now one of my very few must-have .NET development books. I highly recommend it.
Developing More-Secure Microsoft ASP.NET 2.0 Applications
By Dominick Baier
Microsoft Press, ISBN 0-7356-2331-7
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.