Customer Reviews

Developing More-Secure Microsoft® ASP.NET 2.0 Applications (Pro-Developer)

5 star:		(5)
4 star:		(0)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

I needed to get Kerberos authentication working between a web service on one IIS server, a windows service on another server, and SQL server running on a third server and was running into the Windows NT authentication "double hop" problem. I struggled for days reading various web sources trying to make heads or tails of how to do it with no success until I found it here using the "Look Inside" feature here on Amazon. This tells you how to do it, point by point, in surprisingly clear writing.

I immediately bought the book and have been grinding my way through it ever since. It's about security so it's not that fun (who wouldn't rather be learning about Ajax, SilverLight, or anything else that will wow the people at work) but it's surprisingly palatable for developers like me (and most developers I've ever met) who think of security issues as the equivalent of cod liver oil.

I am an ASP.NET newbie and found this book very helpful in understanding authentication, authorization, role based security, input validation etc. I am a desktop developer and found the web development model difficult to understand initially but this book cleared up my mind in the security related parts. The book is written in a very clear and concise manner and uses diagrams to explain concepts which which I found very helpful. There are practical advices sprinkled all over the book along with the "why" of it.
In short, this is a very well written book which improved my asp.net knowledge and skills considerably. Highly recommended.

I really wish I could give this book 6 stars, it has been an indespensable resource for learning techniques to develop more secure applications. With so many dangers lurking out there it is increasingly important to not only be able to develop secure applications but to understand the .net security mechanisms as well. This book will leave no questions unanswered, if for no other reason purchase this book for chapter 8 on partial trust, I have not come across any resource that covered this topic so thoroughly. It's treatment of sandboxing and code partitioning alone make the book worth every penny paid. If your looking to continually improve the quality of your code and sites don't leave this book off your list.

Book review - "Developing More Secure Microsoft ASP.NET 2.0 Applications, by Dominic Baier.
ISBN-13: 978-0-7356-2331-6

Hi all, my name is Gilbert and I have been a professional programmer / programmer analyst for about 22 years now.
I was interested in reading this book because of its topic, which is how to develop more secure asp.net 2.0 web applications.
In my experience, security has traditionally been
* More complex than most programming topics to understand and effectively implement in a real life production environment.

* Easily "pushed aside" in favor of other topics such as user interface work, performance tuning your application, fixing bugs, adding new features etc.

In reality, security should be the MOST important area to deal with in your application infrastructure, because without a good security model your data can be hacked into or your website content could be replaced with malicious messages, political messages or just about anything.
Let's face it though, security is a very dry topic and it's hard to stay focused sometimes on all the various security issues that need to be dealt with in an asp.net 2.0 web application.
The only advice I can give is like any complex topic, you need to force yourself to understand the topics on hand so you can make good security infrastructure decisions when building your asp.net 2.0 web applications.
So, I started to read the book cover to cover.
The first chapter was a good overall perspective on what web application security is and some solid security principles to live by.
Chapter 2 gave an overview of asp.net 2.0, especially in the area of http handlers. The author likes the use of custom http modules which basically can intercept and add additional functionality to http requests. This area is ideal (according to the author) for building security infrastructure.
Chapter 3 enforces the idea of input validation how malicious users can try to exploit website input (such as on a webform). Developers must properly validate input validation to minimize problems that can occur with hacking techniques such as cross-site scripting
Chapter 4 deals with one of my favorite security related topics and that is ENCRYPTION. Encryption is fascinating to me because it allows open architectures such as SOAP (web services) and WCF (using basicHTTPBINDINGS) to build a type of authentication system using encrypted tickets and SSL (secure socket layer). For example, you may build a client application that "talks" to a SOA (service oriented architecture enabled service) hosted on your internet site. You will need to authenticate your client application to your SOA architecture. Most likely, you will end up using encryption and SSL to pass username / password credentials from your client application to your SOA architecture.
Now, even if you were only a standard asp.net website with no client applications but just browser sessions connecting to your website, you will still want to use SSL and you will still most likely store your passwords in your database using encryption, it just makes sense to do so. There is some good information about the Windows Data Protection API and also how asp.net has some built in api's to protect sensitive configuration data (as in web.config files)
Chapters 5 and 6 were easily the most interesting chapters for me, because it deals with how to authenticate and authorize users of your website. This is indeed a common problem most web applications that have customer accounts, memberships etc. have to solve.
Authentication in the asp.net 2.0 world would most likely involve some type of logon page (userid and password).
Authorization in the asp.net 2.0 world would most likely involve some type of role management which dictates what a user of your web application can do. For example, the admin role would be allowed to update product prices, the customer role would only be able to view your products and buy your products, the bronze member would only be able to use certain services in your website, while the gold member could use advanced services in your website. The topic of authorization goes hand in hand with authentication.
The author gives some basics of the types of authentication available in the .net framework world.
In addition, he explores concepts of delegation, impersonation and security contexts and x.509 certificates.
Chapter 6 expands upon chapter 5 and explores the built-in "security providers of asp.net 2.0". Basically asp.net 2.0 has built in "membership" providers and "role providers" that were designed with the knowledge that most asp.net 2.0 web applications require authorization and authentication. So, the idea of the asp.net membership and role providers was to provide a working infrastructure that could easily be implemented in a website and is mostly configurable either programatically or with the use of configuration settings (integrated into the ubiquitous web.config file present in all asp.net web applications). In the past (as in classic asp web pages or cgi applications), developers would have to basically write their own authentication and authorization systems, some of these were very crude and not particularly effective in terms of security. Credit must be given to the developers at Microsoft for building a robust "out of the box" way to provide authentication and authorization to asp.net web applications. In addition, I like the fact that Microsoft actually has a "provider architecture" in which custom code could "extend" the membership and role providers to build a custom model exactly suited to your environment. By customizing your own security provider, you can make use of a lot of already provided functionality and just add the extra pieces you really need, while still making it compatible with the security provider API's provided in the microsoft .net framework.
Chapter 7 now goes on the "auditing side" of security, this basically is saying that security staff have to be able to audit the types of activity related to security. For example, someone could be trying to hack into the website but while hacking in generating a lot of http 401 unauthorized errors. By identifying a trend in these errors, security admins could understand and proactively take action against hackers. One technique which I already knew about is by capturing the Application_Error or Page_Error event you can write a simple smtp email that emails admins when any unhandled exceptions occur. An unhandled exception is basically a runtime error without a try catch block or a runtime error that has been rethrown. So, any weird issues with your website would generate a runtime error that can automatically get "caught" by your programming code and send an email to certain admins of the website. This is very powerful, because again you can be proactive when dealing with website security issues or other issues.

The rest of the book deals with
* CAS security(basically controlling at a more granular level what types of code your asp.net service account (usually network service) can run on the web server).
* "Hardening" your server to prevent security attacks
* Unit testing applications for security applications and various tools to help you look for security vulnerabilities

The appendix also has an interesting take on building a custom protected configuration provider, which allows one to store encryption keys in an external location away from the web server. I like this because I can think of some scenarios where I would like to store my encryption keys somewhere else, like on a mainframe at my work so that its not too tied to one particular web server. I plan on looking at this code in more detail and possibly using it at my work.

CONCLUSION:
I like this book because it give lots of detail on a very complex topic. It forces you to think from a security perspective, which is something all developers need from time to time. I still do not consider myself by any stretch of the imagination to be a security expert, in fact I will probably have to reread some of the chapters periodically to give myself a refresh of the material and the motivation to be more security conscious. This book is a valuable addition to any developers bookshelf.

This is a book by a MS Developer Security MVP for any and all developers writing ASP.NET 2.0 applications. Not only does it cover all the usual suspects and provides practical prescriptive guidance on how to deal with them with examples; it also deals with the tough "hot topics" like partial trust. The book is both complete in breadth and depth and really does provide a single good reference book on ASP.NET security.

I can not recomend it with more guster.

Confession I helped write the tools chapter which is why I know (and yes I am a fellow MS Developer Security MVP)!