• Save
ASP.NET Security
Upcoming SlideShare
Loading in...5
×
 

ASP.NET Security

on

  • 4,147 views

http://www.intertech.com/Courses/Course.aspx?CourseID=99304

http://www.intertech.com/Courses/Course.aspx?CourseID=99304

This slide deck is from an Intertech (http://www.Intertech.com) presentation on ASP.NET Security.

Statistics

Views

Total Views
4,147
Views on SlideShare
4,143
Embed Views
4

Actions

Likes
4
Downloads
0
Comments
1

2 Embeds 4

http://www.slideshare.net 3
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • good article
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    ASP.NET Security ASP.NET Security Presentation Transcript

    • ASP.NET Security - Microsoft Best Practices Dave Schueck –Intertech Partner An I nt e r t e c h Pr e s e nt a t i o n Copyright © Intertech, Inc. 2006. All Rights Reserved.
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Be f or e we ge t St ar t e d …  Please help keep background noise down  Please use *6 to m your line ute  If you have a question, use *6 to un-mute  Please DO NOT use HOLD button(to avoid us all from listening to elevator music)  If you have to take another call or step aw please disconnect and join ay, again w hen you are able.  Feel free to send text Questions, and w w Queue them e ill for response. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 2
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Sc o pe  The topic of security is rather extensive and impacts everything from netw design, W ork eb Servers, SQL Servers, and the application code- base itself.  This presentation is a high-level introduction to selected topics related to security best practices.  This presentation is prim arily focused on ASP.NET application code and the w server eb security. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 3
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Ov e r vi e w  M icrosoft Threat M odeling  M icrosoft check lists and best practices  Encrypting configuration sections for securing database connections  Coding for security (SQL Injection, Cross-Site Scripting (XSS))  W eb.config settings for release mode  ASP.NET authentication  ASP.NET authorization  Softw tools (AppScan, FXCop/Code Analysis) are Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 4
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Thr e at M l i ng ode  What Is Thre at Mo de ling ?  Threat m odeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures in the context of your application scenario. The threat m odeling activity helps you to:  Identify your security objectives.  Identify relevant threats.  Identify relevant vulnerabilities and countermeasures.  Why Us e Thre at Mo de ling ?  Use threat modeling to:  Shape your application design to m your security objectives. eet  Help make trade-offs during key engineering decisions.  Reduce risk of security issues arising during developm and operations. ent Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 5
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Thr e at M l i ng ode  Te rms :  As s e t. An asset is a resource of value. It varies by perspective. To your business, an asset m ight be the availability of information, or the information itself, such as custom data. It er m ight be intangible, such as your com pany's reputation. To an attacker, an asset could be the ability to misuse your application for unauthorized access to data or privileged operations.  Thre at. A threat is an undesired event. A potential occurrence, often best described as an effect that m ight dam age or comprom an asset or objective. It m or m not be ise ay ay m alicious in nature.  Vulne rability . A vulnerability is a weakness in som aspect or feature of a system that e makes an exploit possible. Vulnerabilities can exist at the network, host, or application levels and include operational practices.  Attac k (o r e xplo it). An attack is an action taken that utilizes one or m vulnerabilities to ore realize a threat. This could be som eone follow through on a threat or exploiting a ing vulnerability.  Co unte rme as ure . Counterm easures address vulnerabilities to reduce the probability of attacks or the im pacts of threats. They do not directly address threats; instead, they address the factors that define the threats. Counterm easures range from im proving application design, or im proving your code, to im proving an operational practice. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 6
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Thr e at M l i ng ode  S te p 1: Ide ntify s e c urity o bje c tive s . Clear objectives help you to focus the threat m odeling activity and determ howm ine uch effort to spend on subsequent steps.  S te p 2: Cre ate an applic atio n o ve rvie w . Item izing your application's im portant characteristics and actors helps you to identify relevant threats during step 4.  S te p 3: De c o mpo s e yo ur applic atio n . A detailed understanding of the m echanics of your application m akes it easier for you to uncover m relevant and m detailed threats. ore ore  S te p 4: Ide ntify thre ats . Use details from steps 2 and 3 to identify threats relevant to your application scenario and context.  S te p 5: Ide ntify vulne rabilitie s . Reviewthe layers of your application to identify w eaknesses related to your threats. Use vulnerability categories to help you focus on those areas w here m istakes are m often m ost ade. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 7
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Thr e at M l i ng ode  “Security Fram –defines a set of vulnerability categories for W e” eb applications. These categories are areas where m istakes are m ost often m ade. Cate g o ry De s c riptio n Input and Data Validation Howdo you knowthat the input that your application receives is valid and safe? Input validation refers to howyour application filters, scrubs, or rejects input before additional processing. Authentication W are you? Authentication is the process w ho here an entity proves the identity of another entity, typically through credentials, such as a user nam and passw e ord. Authorization W can you do? Authorization is howyour application provides hat access controls for resources and operations. Configuration Management W does your application run as? W ho hich databases does it connect to? Howis your application adm inistered? Howare these settings secured? Configuration m anagem refers to howyour application ent handles these operational issues. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 8
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Thr e at M l i ng ode Cate g o ry De s c riptio n Sensitive Data Howdoes your application handle sensitive data? Session Management Howdoes your application handle and protect user sessions? Cryptography Howare you keeping secrets (confidentiality)? Howare you tamper-proofing your data or libraries (integrity)? Parameter Manipulation Howdoes your application m anipulate param eter values? Form fields, query string argum ents, and cookie values are frequently used as param eters for an application. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 9
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Thr e at M l i ng ode Cate g o ry De s c riptio n Exception Management When a method call in your application fails, w does your application do? hat Howm uch do you reveal? Do you return friendly error inform ation to end users? Do you pass valuable exception inform ation back to the caller? Does your application fail gracefully? Auditing and Logging W did w and w ho hat hen? Auditing and logging refer to howyour application records security-related events.  To get started, M icrosoft provides a cheat sheet to help identify threats and vulnerabilities. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 10
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Be s t Pr ac t i c e s  W are best practices? hat  http://msdn.microsoft.com/practices/  M icrosoft patterns and practices are Microsoft's recom endations for howto design, develop, deploy, m and operate architecturally sound applications for the M icrosoft application platform. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 11
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Be s t Pr ac t i c e s The re are fo ur type s o f patte rns & prac tic e s :  Softw Factories are  Structured collection of related softw assets that helps architects and are developers create specific types of applications.  Can use as is or custom ize/extend to address the unique needs of a project team or an organization.  3 types currently:  Mobile Client Softw Factory are  Sm Client Softw Factory art are  W Service Softw Factory eb are  Guides  Consist of written guidance, either online or printed, which provides a detailed understanding of technical problem dom ains and engineering practices.  Topics include patterns, application architecture, integration, performance, and security. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 12
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Be s t Pr ac t i c e s The re are fo ur type s o f patte rns & prac tic e s :  Reference Im plem entations  Executable sam applications that dem ple onstrate patterns & practices guidance in action.  Can be used to learn howother guidance deliverables are applied, or to copy code or concepts into your applications.  Topics include application integration and interoperability using Web services.  Application Blocks  Application Blocks are reusable source-code com ponents that provide proven solutions to com on developm challenges. m ent  Can use as is or custom ize/extend to address the unique needs of a project team or an organization.  Enterprise Library for .NET Fram ork 2.0 ew  Caching, cryptography, data access, exception handling, logging, and security. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 13
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Be s t Pr ac t i c e s  .NET Security Guide http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/anch_netsecurity.asp Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 14
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Be s t Pr ac t i c e s  S e c urity Guide  Building S e c ure AS P .NET Applic atio ns : Authe ntic atio n , Autho rizatio n , and S e c ure Co mmunic atio n  Authe ntic atio n (to ide ntify the c lie nts o f yo ur applic atio n )  Autho rizatio n (to pro vide ac c e s s c o ntro ls fo r tho s e c lie nts )  S e c ure c o mmunic atio n (to e ns ure that me s s ag e s re main private and are no t alte re d by unautho rize d partie s ) Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 15
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Be s t Pr ac t i c e s  S e c urity Guide  De s c ribe s the many te c hnique s , te c hno lo g ie s , and pro duc ts in the Mic ro s o ft family , and ho w to fine -tune e ac h fo r o ptimal s e c urity . Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 16
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Be s t Pr ac t i c e s  Security Check Lists http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/CL_Index_Of.asp Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 17
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Be s t Pr ac t i c e s Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 18
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Enc r ypt i ng Conne c t i on St r i ng s  2 options  W indow Data Protection application program ing s m interface (DPAPI) for applications deployed on single server  Machine-level and user-level stores for key storage  RSA Protected for applications deployed on w farm eb  RSA keys are easily exported and imported from server to server  Use the Aspnet_regiis.exe tool for both options to encrypt sections of your configuration files. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 19
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Enc r ypt i ng Conne c t i on St r i ng s  DPAPI configuration provider and RSA Protected configuration provider use 3-step process  Step 1. Identify the configuration sections to be encrypted.  Step 2. Choose m achine-level or user-level key containers.  M achine-level key container w hen your app runs on its ow dedicated server n w no other applications, or if you have m ith ultiple apps on sam server and e w those to share sensitive info and sam key. ant e  User-level key container w hen your app runs in a shared hosting environment and you w to m ant ake sure that your application's sensitive data is not accessible to other applications on the server.  Step 3. Encrypt your configuration file data.  Plus one m optional step for RSA Protected ore  Step 4. Export/import RSA keys for w farm eb . Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 20
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Enc r ypt i ng Conne c t i on St r i ng s  HowTo: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA  http://msdn.microsoft.com/library/default.asp?url=/library/e  HowTo: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI  http://msdn.microsoft.com/library/default.asp?url=/library/e Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 21
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  Code exam for Cross-site Scripting; otherw referred ple ise to as XSS or CSS.  Code exam for SQL injection. ple  Validating input on the client/server to prevent scripting and SQL injection attacks. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 22
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  W is Cross-site Scripting? hat  Cross-site scripting (XSS) is a type of com puter security exploit w here inform ation from one context, where it is not trusted, can be inserted into another context, w here it is. From the trusted context, an attack can be launched. Note that although cross site scripting is also som etim abbreviated “ es CSS” “ or XSS”it has , nothing to do w the Cascading Style Sheets technology that is ith m com only called CSS. ore m  Insert script code into a page through a field or fields on the form (or the query string) that w execute on the w page w ill eb hen it is rendered. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 23
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  I w illustrate a sim XSS exploit using the ill ple JavaScript alert m ethod.  The exam code beloww be inserted into a text ple ill box or com ent field on a w page. m eb  Use your im agination to think of ways this could be used for m more alicious purposes. <script>alert('Hello I am XSS!');</script> Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 24
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  Exam pages; enter norm text w expected result ple al ith Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 25
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  Exam pages; enter script text w expected result? ple ith Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 26
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  W is SQL Injection? hat  SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of variables em bedded in SQL statem ents. It is in fact an instance of a m general class of vulnerabilities that can ore occur w henever one program ing or scripting language is m em bedded inside another. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 27
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  Sim SQL injection exam ple ple; w happens w hat hen we enter ' ; DROP DATABASE pubs – in the SSN field. Authors.asp <form action="GetAuthors.aspx" method="post"> SSN: <input type="text" name="txtSSN"><br> <input type="submit"> </form> GetAuthors.aspx // Use dynamic SQL string SSN = Request.Form[“txtSSN”].ToString(); SqlDataAdapter myCommand = new SqlDataAdapter ( "SELECT au_lname, au_fname FROM authors WHERE au_id = '" + SSN + "'", myConnection); //execute code… Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 28
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  The intent here is to create a select statem that w return the ent ill author nam we here the au_id is equal to the SSN from the input (e.g. ‘ 555-44-6666’ ).  By inserting our m alicious SQL code w are able to use this e page to drop the pubs database! Expected query: SELECT au_lname, au_fname FROM authors WHERE au_id = ‘555-44-6666' Actual query after our insert: SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE pubs --' Note: the -- (double dash) sequence of characters is a SQL comment that tells SQL to ignore the rest of the text. In this case, SQL ignores the closing ' (single quotation mark) character, which would otherwise cause a SQL parser error. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 29
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  To c o unte r S QL inje c tio n attac ks , yo u ne e d to :  Validate all input parame te rs . Check for know good data by validating for type, length, form and range. n at,  Us e type -s afe S QL parame te rs fo r data ac c e s s . Param eter collections such as SqlParam eterCollection provide type checking and length validation. If you use a param eters collection, input is treated as a literal value, and SQL Server does not treat it as executable code.  Param eterized queries  Stored procedures  Us e an ac c o unt that has re s tric te d pe rmis s io ns in the databas e . Ideally, you should only grant execute perm issions to selected stored procedures in the database and provide no direct table access.  Avo id dis c lo s ing databas e e rro r info rmatio n . In the event of database errors, make sure you do not disclose detailed error m essages to the user. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 30
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  To counter Cross-Site Scripting (XSS) attacks:  Validate all input to your application.  You can use JavaScript on the client side, but you also need to validate on the server side as w (just in case the user decides to disable JavaScript on ell their brow ser).  Use regular expressions to validate input.  Set < pag e s validate Re que s t= “true "/> in web.config file.  Consider using the built-in Validators provided by .NET.  Keep in m ind, .NET 1.x Validators only run properly on the client side with Internet Explorer.  Use Http Cookies –See M SDN ( http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/http ) Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 31
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y Message to User Regular Expression Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 32
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Co di ng f or s e c ur i t y  M ake sure to check that your form is validated before using input.  Use the IsValid flag to verify. if (Page.IsValid == true) { //Execute your code here! } Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 33
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i W b . c onf i g s e t t i ngs e  ViewState MAC  Specifies w hether ASP.NET should run a m essage authentication code (M AC) on the page's viewstate w hen the page is posted back from the client.  The < mac hine Ke y > elem is used to specify encryption keys, ent validation keys, and algorithm that are used to protect Form s s authentication cookies and page-level viewstate.  Different settings for ASP.NET 1.1 vs. 2.0; see MSDN.  Trace mode should be disabled  Debug should be set to false Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 34
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i W b . c onf i g s e t t i ngs e  Exam W ple eb.config settings to:  Disable Trace  Enable View State MAC  Set Debug m ode to false Web.config <trace enabled="false“/> <pages enableViewState= “true” enableViewStateMac=“true”/> <compilation defaultLanguage="c#" debug=“false" /> Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 35
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i ASP. NET Aut he nt i c at i on  Authentication is the process of accepting credentials from a user and validating those credentials against a designated authority.  The user's (or potentially an application's or computer's) identity is referred to as a security principal.  Applications authorize the principal to access resources on the system .  ASP.NET supports 3 authentication providers:  Form Authentication s  Passport Authentication  W indow Authentication s  ASP.NET 2.0 –consider using M bership feature em Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 36
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i ASP. NET Aut he nt i c at i on  Form Authentication s  Causes unauthenticated requests to be redirected to a specified HTM form using client side redirection. The user can then L supply logon credentials, and post the form back to the server.  If authentication is successful, then ASP.NET issues a cookie that contains the credentials or a key for reacquiring the client identity.  Uses IIS Anonym ous authentication Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 37
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i ASP. NET Aut he nt i c at i on  Passport Authentication  Centralized authentication service provided by Microsoft that offers a single logon facility and m bership services for em participating sites.  ASP.NET, in conjunction w the Passport softw developm ith are ent kit (SDK), provides sim functionality as Form Authentication ilar s to Passport users.  Uses IIS Anonym ous authentication Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 38
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i ASP. NET Aut he nt i c at i on  Window Authentication s  Uses the authentication capabilities of IIS. After IIS completes its authentication, ASP.NET uses the authenticated identity's token to authorize access.  Uses 1 of 4 IIS authentication methods  Basic  Integrated  Digest  Certificate Mapping Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 39
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i ASP. NET Aut hor i z at i on  Authorization is the process of determining whether the proven identity is allow to access a specific resource. ed  2 strategies  Role based  Access to operations is secured based on the role m bership of em the caller.  Users are m apped to Roles  Resource based  Individual resources (i.e., files) are secured using Window Access s Control Lists (ACLs). Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 40
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i ASP. NET Aut hor i z at i on  In the vast m ajority of .NET W applications w eb here scalability is essential, a role-based approach to authorization represents the best choice.  Com on pattern for role-based authorization: m  Authenticate users w ithin your front-end W application. eb  M users to roles. ap  Authorize access to operations based on role m bership. em  Access the necessary back-end resources (i.e., database) by using fixed service identities (i.e., application accounts).  ASP.NET 2.0 –consider using Role Manager feature Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 41
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i So f t war e t ool s  FXCop / VSTS Code Analysis  http://w w w .gotdotnet.com /team /fxcop/  http://msdn.microsoft.com /vstudio/teamsystem/products/compare/def  AppScan  http://w w atchfire.com w .w /securityzone/default.aspx Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 42
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i So f t war e t ool s  FXCop Tool  Checks for security issues.  Checks for coding issues related to globalization, portability, and m ore.  Provides guidance on corrective actions.  Can im plem custom ent rules or coding standards  “Code Analysis” Visual in Studio Team System Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 43
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Cl o s i ng No t c o ve re d ?  Code access security  ASP.NET 2.0 M bership em  ASP.NET 2.0 Role M anager  Coding best practices  Exception handling  SQL –w riting stored procedures best practices  Firew alls, netw orking, and securing servers  Auditing and logging of security events  Social engineering  A ton of other things that you w find on the best practices site and in the ill security check lists available from M icrosoft. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 44
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Cl o s i ng  As stated earlier, this presentation is intended to be an overviewof selected topics related to security for ASP.NET applications.  Consider taking the security class offered by Intertech and/or the .NET for Architects course for m detailed coverage of these ore topics and others.  Read the articles available on M icrosoft’ Best Practices site and s M SDN site related to security.  Consider using the M checklists before deploying applications to S production.  Consider using the M icrosoft Threat M odel; involve the IS team and business stake holders early on to identify threats and vulnerabilities. Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 45
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Re f e r e nc e s  Microsoft References  Security Developer Center ( http://msdn2.m icrosoft.com /en-us/security/default.aspx)  TechNet Security Center ( http://w w icrosoft.com w .m /technet/security/default.m spx)  patterns & practices: Security ( http://msdn.m icrosoft.com /practices/topics/security/default.aspx)  patterns & practices Security HowTos Index ( http://msdn.m icrosoft.com /library/default.asp?url=/library/en-us/dnpag )  Design and Deploy Secure W Apps w ASP.NET 2.0 and IIS eb ith 6.0 ( http://msdn.m icrosoft.com sdnm /m ag/issues/05/11/SecureWebApps/ ) Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 46
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Re f e r e nc e s  Microsoft References  Threat M odeling Web Applications ( http://m sdn.m icrosoft.com /practices/topics/security/default.aspx?pull=/library/ )  .NET Security ( http://m sdn.m icrosoft.com /library/default.asp?url=/library/en-us/dnanchor/htm )  Im proving Web Application Security: Threats and Counterm easures - Index of Checklists ( http://m sdn.m icrosoft.com /library/default.asp?url=/library/en-us/dnnetsec/htm )  Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Com unication ( m http://m sdn2.m icrosoft.com /en-us/library/aa302415.aspx)  M itigating Cross-site Scripting With HTTP-only Cookies ( http://m sdn.m icrosoft.com /library/default.asp?url=/w orkshop/author/dhtm l/ove ) Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 47
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Que s t i ons ? Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 48
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i I nt e r t e c h Se r vi c e Of f e r i ng s  Training  Consulting  M entoring  Titaniun -Intertech .NET Fram ork ew Result: Instructors W ho Cons ult | Consultants W ho Te ach Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 49
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i Tr a i ni ng Cat e gor i e s NET ortals ava™ pen Source oot Camps roject Management QL ++ Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 50 rocess, Analysis & Design
    • ASP. NET Se c ur i t y - M c r os of t Be s t Pr ac t i c e s i  Public and Private classes available  Questions / Inquiries contact:  Dan Mc Cabe 800.866.9884 ext 23 651.245.1486 m obile DM cCabe@ Intertech.com w w w .Intertech.com Copyright © Intertech, Inc. 2006 •w w w .Intertech.com •800-866-9884 •Slide 51