Advanced ASP.NET Core 3 Security

Scott Norberg is a web security specialist currently based in the Seattle, Washington area. He has more than 10 years of experience successfully delivering software products in a wide range of roles. As a security consultant, he has experience with many testing tools and techniques, including Dynamic (DAST) and Static (SAST) testing, as well as manual testing and reviewing source code. Along with the many websites he has designed and built with various versions of ASP.NET, he has performed security assessments for many more. While his language of choice is C#, he has also built websites, components, and other tools in F#, VB.NET, Python, R, Java, and Pascal. He holds several certifications, including Microsoft Certified Technology Specialist (MCTS) certifications for ASP.NET and SQL Server, and a Certified Information Systems Security Professional (CISSP) certification. He also has an MBA from Indiana University.

Chapter 1 - Introducing ASP.NET Core



This chapter covers much of what makes each version of ASP.NET Core, Razor Pages and MVC, different from its predecessors, ASP.NET Web Forms and ASP.NET MVC. It will focus on areas that you will need to know about in creating a secure website, such as knowing how to set up services properly and how to replace them as needed, while deemphasizing areas that you may need to know about but don't have specific security concerns.



Chapter 2 - General Security Concepts



This chapter covers concepts that full-time security professionals worry about that don't get covered in most programming courses or textbooks but are important to know for excellent application development security. I will start by describing what security is (beyond just stopping hackers) so we have a baseline for discussions, move into concepts that will help you design more secure software, then end with a general discussion about stopping hackers.



Chapter 3 - Cryptography



Cryptography is an extremely important concept in building secure systems but is not covered in depth in most programming textbooks and courses. At least in my experience, that results in an uneven knowledge of how to properly apply cryptography in software. You will learn about the differences between symmetric and asymmetric cryptography, what hashing is and where it's useful, and finally how to securely store the keys necessary to keep your data secure.



Chapter 4 - Web Security Concepts



After discussing security in general, it will be time to cover security-related topics specific to web. Most of the topics in this chapter should look familiar to you as a web developer, but the goal is to dive deeper into each topic than is needed to program most websites in order to better understand where your website might be vulnerable.



Chapter 5 - Understanding Common Attacks



The idea behind this chapter is to show you most of the common types of attacks to which ASP.NET Core websites can be vulnerable. It will not only cover the most basic forms of each attack that occur in other textbooks but also show you more advanced versions that real hackers use to get around common defenses.



Chapters 6-8 cover topics that are specific to ASP.NET Core. Any discussion of implementing exist best practices is here, as well as most discussion of extending the framework to meet advanced security needs.



Chapter 6 - Validating User Input



Perhaps the biggest challenge to keeping websites secure is that the vast majority of websites must accept user input in some way. Validating that input in a way that allows all legitimate traffic but blocks malicious traffic is more difficult than it seems. Removing apostrophes can help stop many types of SQL injection attacks, but then adding the business name "Joe's Deli" becomes impossible. Preventing XSS is much harder if you need to display HTML content that incorporates user input. This chapter will cover ways in which you can (more) safely accept and process user input in your ASP.NET Core website.



Chapter 7 - Data Access



The solution to solving security issues around data access - using parameterized queries for every call to the database - has been well-established for well over a decade now. Yet these issues still crop up in the wild, even in the author's experience on ASP.NET Core-based sites. What parameterized queries are, why they're so important, and how the ASP.NET Core framework uses them by default are covered in this chapter.



Also covered are non-SQL data sources, such as NoSQL databases and file-based stores.



Chapter 8 - Authentication and Authorization



This is the aspect of security that seems to be the best-documented in ASP.NET Core materials. This is for good reason - knowing who is accessing your site and keeping them from accessing the wrong places is vital to your security. However, it is the author's opinion that the built-in username and password tracking in a default ASP.NET Core site is easily the most insecure part of the default site. Stealing user credentials on an ASP.NET Core website with a reasonable number of users is trivial. This chapter will cover the issues with even a well-implemented solution and how to fix them.



The remaining chapters cover additional topics that, in the author's opinion, every developer needs to know about security in order to be considered knowledgeable about the topic.



Chapter 9 - Logging



Many readers will be tempted to skip this chapter because logging is one of the least exciting topics here. It also may be one of the most important in detecting (and therefore stopping) potential criminals. Logging is much improved in ASP.NET Core over previous versions, but unfortunately that logging framework is built for finding programming problems, not finding potentially malicious activity. This chapter is about how logging works in ASP.NET Core, where its weaknesses are, and how to build something better.



Chapter 10 - Setup and Configuration



With the introduction of Kestrel, an intermediate layer in-between the web server and the web framework, more of the responsibility for keeping the website secure on a server level falls into the developers sphere of responsibility. Even if you're a developer in a larger shop with another team that is responsible for configuring web servers, you should be aware of most of the content in this chapter.



Chapter 11 - Secure Application Lifecycle Management



Building software then trying to secure it afterwards almost never works. Building secure software requires that you incorporate security into every phase of your process, from planning to development to testing to deployment to support. If you're relatively new to mature security, though, starting such processes might be daunting. This chapter covers tools and concepts that help you verify that your website is reasonably secure and helps you keep it that way.