Advanced ASP.NET Core 3 Security
Apress (Verlag)
978-1-4842-6013-5 (ISBN)
- Titel wird leider nicht erscheinen
- Artikel merken
Incorporate best practices with ASP.NET Core security. This book includes security-related features available in the framework, and security topics rarely covered elsewhere. It digs deep into the ASP.NET Core 3.1 source code, explaining how something works (or how to fix a problem).
The ASP.NET Core framework does a good job in preventing certain types of attacks from happening, but there are many more non-trivial projects that invariably require developers to think outside the box. For that, there is very little guidance on how to safely venture beyond the simple use cases. And worse, there is a lot of bad advice online on how to implement functionality, be it encrypting unsafely hard-code parameters that need to be generated at runtime, to articles that advocate for certain solutions that are vulnerable to obvious injection attacks.
This book aims to train developers to avoid these problems. Unlike the vast majority of security books that are targeted to network administrators, system administrators, or managers, this book is targeted specifically to ASP.NET developers. The book begins by teaching developers how ASP.NET Core works behind the scenes, then talks about how various attacks are performed and how to prevent them. Finally, it dives into the concepts a developer needs to know to do some testing on their own without the help of a security professional.
What You Will Learn
Discern which attacks are easy to prevent in the framework and which are challenging
Dig into ASP.NET Core 3.1 source code to understand how the security services work
Establish a baseline for understanding how to design more secure software
Properly apply cryptography in software development
Take a deep dive into web security concepts
Validate input in a way that allows legitimate traffic but blocks malicious traffic
Understand parameterized queries and why they are so important to ASP.NET Core
Fix issues in a well-implemented solution
Know how logging works and its weaknesses in ASP.NET Core
Incorporate security in every phase of the software development process
Who This Book Is For
Software developers who have experience creating websites in ASP.NET and want to know how to make their websites secure from hackers and security professionals who work with a development team that uses ASP.NET Core. A basic understanding of web technologies such as HTML, JavaScript, and CSS is assumed, as is knowledge of how to create a website, and how to read and write C#. You do not need knowledge of security concepts, even those that are often covered in ASP.NET Core documentation.
Scott Norberg is a web security specialist currently based in the Seattle, Washington area. He has more than 10 years of experience successfully delivering software products in a wide range of roles. As a security consultant, he has experience with many testing tools and techniques, including Dynamic (DAST) and Static (SAST) testing, as well as manual testing and reviewing source code. Along with the many websites he has designed and built with various versions of ASP.NET, he has performed security assessments for many more. While his language of choice is C#, he has also built websites, components, and other tools in F#, VB.NET, Python, R, Java, and Pascal. He holds several certifications, including Microsoft Certified Technology Specialist (MCTS) certifications for ASP.NET and SQL Server, and a Certified Information Systems Security Professional (CISSP) certification. He also has an MBA from Indiana University.
Chapter 1 - Introducing ASP.NET Core
This chapter covers much of what makes each version of ASP.NET Core, Razor Pages and MVC, different from its predecessors, ASP.NET Web Forms and ASP.NET MVC. It will focus on areas that you will need to know about in creating a secure website, such as knowing how to set up services properly and how to replace them as needed, while deemphasizing areas that you may need to know about but don't have specific security concerns.
Chapter 2 - General Security Concepts
This chapter covers concepts that full-time security professionals worry about that don't get covered in most programming courses or textbooks but are important to know for excellent application development security. I will start by describing what security is (beyond just stopping hackers) so we have a baseline for discussions, move into concepts that will help you design more secure software, then end with a general discussion about stopping hackers.
Chapter 3 - Cryptography
Cryptography is an extremely important concept in building secure systems but is not covered in depth in most programming textbooks and courses. At least in my experience, that results in an uneven knowledge of how to properly apply cryptography in software. You will learn about the differences between symmetric and asymmetric cryptography, what hashing is and where it's useful, and finally how to securely store the keys necessary to keep your data secure.
Chapter 4 - Web Security Concepts
After discussing security in general, it will be time to cover security-related topics specific to web. Most of the topics in this chapter should look familiar to you as a web developer, but the goal is to dive deeper into each topic than is needed to program most websites in order to better understand where your website might be vulnerable.
Chapter 5 - Understanding Common Attacks
The idea behind this chapter is to show you most of the common types of attacks to which ASP.NET Core websites can be vulnerable. It will not only cover the most basic forms of each attack that occur in other textbooks but also show you more advanced versions that real hackers use to get around common defenses.
Chapters 6-8 cover topics that are specific to ASP.NET Core. Any discussion of implementing exist best practices is here, as well as most discussion of extending the framework to meet advanced security needs.
Chapter 6 - Validating User Input
Perhaps the biggest challenge to keeping websites secure is that the vast majority of websites must accept user input in some way. Validating that input in a way that allows all legitimate traffic but blocks malicious traffic is more difficult than it seems. Removing apostrophes can help stop many types of SQL injection attacks, but then adding the business name "Joe's Deli" becomes impossible. Preventing XSS is much harder if you need to display HTML content that incorporates user input. This chapter will cover ways in which you can (more) safely accept and process user input in your ASP.NET Core website.
Chapter 7 - Data Access
The solution to solving security issues around data access - using parameterized queries for every call to the database - has been well-established for well over a decade now. Yet these issues still crop up in the wild, even in the author's experience on ASP.NET Core-based sites. What parameterized queries are, why they're so important, and how the ASP.NET Core framework uses them by default are covered in this chapter.
Also covered are non-SQL data sources, such as NoSQL databases and file-based stores.
Chapter 8 - Authentication and Authorization
This is the aspect of security that seems to be the best-documented in ASP.NET Core materials. This is for good reason - knowing who is accessing your site and keeping them from accessing the wrong places is vital to your security. However, it is the author's opinion that the built-in username and password tracking in a default ASP.NET Core site is easily the most insecure part of the default site. Stealing user credentials on an ASP.NET Core website with a reasonable number of users is trivial. This chapter will cover the issues with even a well-implemented solution and how to fix them.
The remaining chapters cover additional topics that, in the author's opinion, every developer needs to know about security in order to be considered knowledgeable about the topic.
Chapter 9 - Logging
Many readers will be tempted to skip this chapter because logging is one of the least exciting topics here. It also may be one of the most important in detecting (and therefore stopping) potential criminals. Logging is much improved in ASP.NET Core over previous versions, but unfortunately that logging framework is built for finding programming problems, not finding potentially malicious activity. This chapter is about how logging works in ASP.NET Core, where its weaknesses are, and how to build something better.
Chapter 10 - Setup and Configuration
With the introduction of Kestrel, an intermediate layer in-between the web server and the web framework, more of the responsibility for keeping the website secure on a server level falls into the developers sphere of responsibility. Even if you're a developer in a larger shop with another team that is responsible for configuring web servers, you should be aware of most of the content in this chapter.
Chapter 11 - Secure Application Lifecycle Management
Building software then trying to secure it afterwards almost never works. Building secure software requires that you incorporate security into every phase of your process, from planning to development to testing to deployment to support. If you're relatively new to mature security, though, starting such processes might be daunting. This chapter covers tools and concepts that help you verify that your website is reasonably secure and helps you keep it that way.
Erscheint lt. Verlag | 12.12.2020 |
---|---|
Zusatzinfo | 20 Illustrations, black and white; XX, 380 p. 20 illus. |
Verlagsort | Berkley |
Sprache | englisch |
Maße | 178 x 254 mm |
Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
Mathematik / Informatik ► Informatik ► Software Entwicklung | |
Schlagworte | ASP.NET • ASP.NET Core • ASP.NET Security • C# programming • cryptography • Hacking .NET • Microsoft • .NET Security • Secure a website • Secure coding |
ISBN-10 | 1-4842-6013-9 / 1484260139 |
ISBN-13 | 978-1-4842-6013-5 / 9781484260135 |
Zustand | Neuware |
Haben Sie eine Frage zum Produkt? |
aus dem Bereich