Buy used:
$7.68
$19.24 delivery July 5 - 26. Details
Used: Good | Details
Sold by ThriftBooks-Phoenix
Condition: Used: Good
Comment: Pages can have notes/highlighting. Spine may show signs of wear. ~ ThriftBooks: Read More, Spend Less
Access codes and supplements are not guaranteed with used items.
Added to

Sorry, there was a problem.

There was an error retrieving your Wish Lists. Please try again.

Sorry, there was a problem.

List unavailable.
Other sellers on Amazon
New & Used (3) from   $7.90
Kindle app logo image

Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required.

Read instantly on your browser with Kindle for Web.

Using your mobile phone camera - scan the code below and download the Kindle app.

QR code to download the Kindle App

Follow the authors

Dominick Baier
Follow
Dominick Baier
Follow
Something went wrong. Please try your request again later.

Developing More-Secure Microsoft® ASP.NET 2.0 Applications (Pro Developer) 1st Edition

by Dominick Baier (Author)
5.0 5.0 out of 5 stars 7 ratings
See all formats and editions

Build your expertise for developing more-secure applications with ASP.NET 2.0. A leading security expert delivers best practices, pragmatic instruction, and extensive code samples in Microsoft Visual C# to help you develop Web applications that are more robust, more reliable, and more resistant to attack.

Discover how to:

  • Harden a Web server, operating system, communication protocol, and ASP.NET Validate input data with white listing, regular expressions, sandboxing, and other techniques
  • Understand design and security implications of various cryptography approaches
  • Integrate with Microsoft Windows security features such as impersonation, delegation and protocol transition
  • Implement Web farm, single sign-on, and mixed-mode authentication
  • Use provider-based features for user and role management and authentication
  • Trace attacks with error-handling, logging, and instrumentation
  • Lock down your application with partial trust

PLUS—Get code samples on the Web

Previous slide of product details
  1. ISBN-10
    0735623317
  2. ISBN-13
    978-0735623316
  3. Edition
    1st
  4. Publisher
    Microsoft Press
  5. Publication date
    October 28, 2006
  6. Language
    English
  7. Dimensions
    7.38 x 1.18 x 9 inches
  8. Print length
    480 pages
  9. See all details
Next slide of product details

Editorial Reviews

From the Publisher

Key Book Benefits:

- Delivers practical, hands-on guidance about Web security and ASP.NET 2.0 development - Features best practices from a leading authority and trainer, based on real-world experience - Provides extensive code examples in C#

About the Author

Dominick Baier splits his time between being an independent security consultant and an instructor for DevelopMentor - teaching and authoring the ASP.NET and the .NET security curriculum. He has a degree in computer science (German Diplom Ingenieur), is a certified BS7799/ISO17799 Lead Auditor and speaks at various conferences (WinDev, DevWeek, ADC) about application security. When not teaching he spends his time researching security, doing audits and penetration tests and helps other developers around the world to build more secure applications. Dominick maintains a security blog at http://www.leastprivilege.com.

Product details

  • Publisher ‏ : ‎ Microsoft Press; 1st edition (October 28, 2006)
  • Language ‏ : ‎ English
  • Paperback ‏ : ‎ 480 pages
  • ISBN-10 ‏ : ‎ 0735623317
  • ISBN-13 ‏ : ‎ 978-0735623316
  • Item Weight ‏ : ‎ 2.2 pounds
  • Dimensions ‏ : ‎ 7.38 x 1.18 x 9 inches
  • Customer Reviews:
    5.0 5.0 out of 5 stars 7 ratings

About the authors

Follow authors to get new release updates, plus improved recommendations.
Previous page
  1. Dominick Baier

    Dominick Baier

    Brief content visible, double tap to read full content.
    Full content visible, double tap to read brief content.

    Dominick works as an associate consultant for the Germany-based company thinktecture (http://www.thinktecture.com). His main area of focus is identity & access control. He helps customers around the world implementing claims-based identity, single sign-on, authorization and federation in their web applications, services and APIs. Dominick is an international conference speaker and the author of “Developing more-secure ASP.NET Application” and co-author of the Microsoft Patterns & Practices “Guide to Claims-based Identity and Access Control”.

    You can find Dominick on the web at http://www.leastprivilege.com and on Twitter via @leastprivilege. His various open source projects (which includes the very popular security token service called thinktecture IdentityServer) are at http://thinktecture.github.com/.

    See more on the author's page
  2. Dominick Baier

    Dominick Baier

    Brief content visible, double tap to read full content.
    Full content visible, double tap to read brief content.

    Discover more of the author’s books, see similar authors, read author blogs and more

    See more on the author's page
Next page

Customer reviews

5 out of 5 stars
5 out of 5
We don’t use a simple average to calculate the overall star rating and percentage breakdown by star. Our system gives more weight to certain factors—including how recent the review is and if the reviewer bought it on Amazon. Learn more
7 global ratings

Top reviews from the United States

Carlos
5.0 out of 5 stars Five Stars
Reviewed in the United States on September 24, 2016
Verified Purchase
Very pleased with the produtct!
Helpful
 Report
David J. Graper
5.0 out of 5 stars Does the job
Reviewed in the United States on November 22, 2008
I needed to get Kerberos authentication working between a web service on one IIS server, a windows service on another server, and SQL server running on a third server and was running into the Windows NT authentication "double hop" problem. I struggled for days reading various web sources trying to make heads or tails of how to do it with no success until I found it here using the "Look Inside" feature here on Amazon. This tells you how to do it, point by point, in surprisingly clear writing.

I immediately bought the book and have been grinding my way through it ever since. It's about security so it's not that fun (who wouldn't rather be learning about Ajax, SilverLight, or anything else that will wow the people at work) but it's surprisingly palatable for developers like me (and most developers I've ever met) who think of security issues as the equivalent of cod liver oil.
One person found this helpful
Helpful
 Report
M M
5.0 out of 5 stars Highly Recommended
Reviewed in the United States on September 6, 2007
I really wish I could give this book 6 stars, it has been an indespensable resource for learning techniques to develop more secure applications. With so many dangers lurking out there it is increasingly important to not only be able to develop secure applications but to understand the .net security mechanisms as well. This book will leave no questions unanswered, if for no other reason purchase this book for chapter 8 on partial trust, I have not come across any resource that covered this topic so thoroughly. It's treatment of sandboxing and code partitioning alone make the book worth every penny paid. If your looking to continually improve the quality of your code and sites don't leave this book off your list.
3 people found this helpful
Helpful
 Report
PC
5.0 out of 5 stars Excellent book for learning the security related aspects of ASP.NET 2.0
Reviewed in the United States on March 18, 2008
I am an ASP.NET newbie and found this book very helpful in understanding authentication, authorization, role based security, input validation etc. I am a desktop developer and found the web development model difficult to understand initially but this book cleared up my mind in the security related parts. The book is written in a very clear and concise manner and uses diagrams to explain concepts which which I found very helpful. There are practical advices sprinkled all over the book along with the "why" of it.
In short, this is a very well written book which improved my asp.net knowledge and skills considerably. Highly recommended.
One person found this helpful
Helpful
 Report
Cara in SF
5.0 out of 5 stars Complete Guide to ASP.NET 2.0 Security
Reviewed in the United States on October 4, 2006
This is a book by a MS Developer Security MVP for any and all developers writing ASP.NET 2.0 applications. Not only does it cover all the usual suspects and provides practical prescriptive guidance on how to deal with them with examples; it also deals with the tough "hot topics" like partial trust. The book is both complete in breadth and depth and really does provide a single good reference book on ASP.NET security.

I can not recomend it with more guster.

Confession I helped write the tools chapter which is why I know (and yes I am a fellow MS Developer Security MVP)!
4 people found this helpful
Helpful
 Report
Gilbert M. Vanegas
5.0 out of 5 stars Security , Security, Security!!!
Reviewed in the United States on May 8, 2010
Book review - "Developing More Secure Microsoft ASP.NET 2.0 Applications, by Dominic Baier.
ISBN-13: 978-0-7356-2331-6

Hi all, my name is Gilbert and I have been a professional programmer / programmer analyst for about 22 years now.
I was interested in reading this book because of its topic, which is how to develop more secure asp.net 2.0 web applications.
In my experience, security has traditionally been
* More complex than most programming topics to understand and effectively implement in a real life production environment.

* Easily "pushed aside" in favor of other topics such as user interface work, performance tuning your application, fixing bugs, adding new features etc.

In reality, security should be the MOST important area to deal with in your application infrastructure, because without a good security model your data can be hacked into or your website content could be replaced with malicious messages, political messages or just about anything.
Let's face it though, security is a very dry topic and it's hard to stay focused sometimes on all the various security issues that need to be dealt with in an asp.net 2.0 web application.
The only advice I can give is like any complex topic, you need to force yourself to understand the topics on hand so you can make good security infrastructure decisions when building your asp.net 2.0 web applications.
So, I started to read the book cover to cover.
The first chapter was a good overall perspective on what web application security is and some solid security principles to live by.
Chapter 2 gave an overview of asp.net 2.0, especially in the area of http handlers. The author likes the use of custom http modules which basically can intercept and add additional functionality to http requests. This area is ideal (according to the author) for building security infrastructure.
Chapter 3 enforces the idea of input validation how malicious users can try to exploit website input (such as on a webform). Developers must properly validate input validation to minimize problems that can occur with hacking techniques such as cross-site scripting
Chapter 4 deals with one of my favorite security related topics and that is ENCRYPTION. Encryption is fascinating to me because it allows open architectures such as SOAP (web services) and WCF (using basicHTTPBINDINGS) to build a type of authentication system using encrypted tickets and SSL (secure socket layer). For example, you may build a client application that "talks" to a SOA (service oriented architecture enabled service) hosted on your internet site. You will need to authenticate your client application to your SOA architecture. Most likely, you will end up using encryption and SSL to pass username / password credentials from your client application to your SOA architecture.
Now, even if you were only a standard asp.net website with no client applications but just browser sessions connecting to your website, you will still want to use SSL and you will still most likely store your passwords in your database using encryption, it just makes sense to do so. There is some good information about the Windows Data Protection API and also how asp.net has some built in api's to protect sensitive configuration data (as in web.config files)
Chapters 5 and 6 were easily the most interesting chapters for me, because it deals with how to authenticate and authorize users of your website. This is indeed a common problem most web applications that have customer accounts, memberships etc. have to solve.
Authentication in the asp.net 2.0 world would most likely involve some type of logon page (userid and password).
Authorization in the asp.net 2.0 world would most likely involve some type of role management which dictates what a user of your web application can do. For example, the admin role would be allowed to update product prices, the customer role would only be able to view your products and buy your products, the bronze member would only be able to use certain services in your website, while the gold member could use advanced services in your website. The topic of authorization goes hand in hand with authentication.
The author gives some basics of the types of authentication available in the .net framework world.
In addition, he explores concepts of delegation, impersonation and security contexts and x.509 certificates.
Chapter 6 expands upon chapter 5 and explores the built-in "security providers of asp.net 2.0". Basically asp.net 2.0 has built in "membership" providers and "role providers" that were designed with the knowledge that most asp.net 2.0 web applications require authorization and authentication. So, the idea of the asp.net membership and role providers was to provide a working infrastructure that could easily be implemented in a website and is mostly configurable either programatically or with the use of configuration settings (integrated into the ubiquitous web.config file present in all asp.net web applications). In the past (as in classic asp web pages or cgi applications), developers would have to basically write their own authentication and authorization systems, some of these were very crude and not particularly effective in terms of security. Credit must be given to the developers at Microsoft for building a robust "out of the box" way to provide authentication and authorization to asp.net web applications. In addition, I like the fact that Microsoft actually has a "provider architecture" in which custom code could "extend" the membership and role providers to build a custom model exactly suited to your environment. By customizing your own security provider, you can make use of a lot of already provided functionality and just add the extra pieces you really need, while still making it compatible with the security provider API's provided in the microsoft .net framework.
Chapter 7 now goes on the "auditing side" of security, this basically is saying that security staff have to be able to audit the types of activity related to security. For example, someone could be trying to hack into the website but while hacking in generating a lot of http 401 unauthorized errors. By identifying a trend in these errors, security admins could understand and proactively take action against hackers. One technique which I already knew about is by capturing the Application_Error or Page_Error event you can write a simple smtp email that emails admins when any unhandled exceptions occur. An unhandled exception is basically a runtime error without a try catch block or a runtime error that has been rethrown. So, any weird issues with your website would generate a runtime error that can automatically get "caught" by your programming code and send an email to certain admins of the website. This is very powerful, because again you can be proactive when dealing with website security issues or other issues.

The rest of the book deals with
* CAS security(basically controlling at a more granular level what types of code your asp.net service account (usually network service) can run on the web server).
* "Hardening" your server to prevent security attacks
* Unit testing applications for security applications and various tools to help you look for security vulnerabilities

The appendix also has an interesting take on building a custom protected configuration provider, which allows one to store encryption keys in an external location away from the web server. I like this because I can think of some scenarios where I would like to store my encryption keys somewhere else, like on a mainframe at my work so that its not too tied to one particular web server. I plan on looking at this code in more detail and possibly using it at my work.

CONCLUSION:
I like this book because it give lots of detail on a very complex topic. It forces you to think from a security perspective, which is something all developers need from time to time. I still do not consider myself by any stretch of the imagination to be a security expert, in fact I will probably have to reread some of the chapters periodically to give myself a refresh of the material and the motivation to be more security conscious. This book is a valuable addition to any developers bookshelf.
Helpful
 Report