Hacking the Code: ASP.NET Web Application Security
Are your Web applications really secure? That s the question this book poses on its front cover. And it s an excellent question to ask, given all the headlines around the globe concerning Web site intrusions, trojans, and worms. Although the .NET platform isn t the only one affected by such unscrupulous attempts of wrongful entry, it s targeted more often because of its popularity and its Microsoft association. Consequently, any ASP.NET Web developer should know that with power comes responsibility. Hacking the Code: ASP.NET Web Application Security educates and illustrates how attacks can occur and how they can be proactively deterred.
Even for less security-conscious developers, this book offers excellent insight into the way ASP.NET manages session states and other frequently leveraged aspects of the technology. It also provides ample concern for how easily certain exploits, such as cross-scripting attacks, can be used to gain unauthorized access to a Web site s data or even compromise the server s access privileges. The good news is that the author provides readers with ASP.NET code that can replace popular, yet insecure, logic with safer, and often more effective, approaches. Although the code samples, presented in both C# and VB.NET syntax, can be downloaded from the book s Web site, it s only by reading the context of the suggested replacement that the security recommendations sink in.
The book contains 8 chapters and 2 appendixes, ranging from user session management and authentication, to data access and encryption. Topics are presented in cookbook-style format; that is, a requirement such as resetting forgotten passwords is followed by a How To discussion containing the do s and don ts of the solution. Each chapter concludes with an exceptional summary of the topics covered in the form of a Coding Standards Fast Track checklist. These checklists should be actively referenced throughout the development of any ASP.NET application that intends to enforce even a modicum of security. In fact, the book brings to light many lesser-known security considerations that may even improve a company s own security policies.
Although a bit on the expensive side, the book should be thought of as an insurance investment as long as the author s recommendations are heeded. I would have also preferred to have some discussion on how Intrusion Detection Systems (IDS) could hook into ASP.NET applications to further improve alerts of strange or unauthorized activity. However, IDS is well covered in another Syngress book, Snort 2.1 Intrusion Detection, Second Edition (http://www.syngress.com/catalog/sg_info.cfm?pid=2950). Perhaps Microsoft will address the vulnerabilities described in this book in future ASP.NET releases. But for now, it s up to the developer to ensure that their code follows secure and defensive coding best practices. Hacking the Code: ASP.NET Web Application Security serves as a robust shield in the hostile virtual world of the Internet.
I highly recommend this book to any ASP.NET developer working with sensitive data. Implementing its many recommendations might one day save your company from an embarrassing and potentially costly situation.
Title: Hacking the Code: ASP.NET Web Application Security
Author: Mark Burnett
Publisher: Syngress Publishing
Book Web Site: http://www.syngress.com/catalog/sg_main.cfm?pid=2680
Page Count: 448 pages