Coding, for me, is a lot of fun. Get crazy ideas, make software about them, and enjoy the process of doing so. When I was just a hobbyist this process never considered security too much. As a web developer by profession, though, I have had to start thinking about security.
Enter Beginning ASP.NET Security, by Barry Dorrans – my introduction to security. I do have to admit, I was very intrigued by web robots and hacking (not maliciously) so this was a topic that I had planned to look into. When my boss suggested we needed someone to take security seriously, well, I was more than happy to do so and accept the free book tokens that came with it.
Of the books available, this seemed to be fairly recent, and the only ASP.NET security book that looked like it wasn’t totally devoted to securing web forms apps. Decision made.
Chapters In The Book
Before buying the book, I was concerned that it may be specific to web forms. But after speaking to the author, he assured me that it would be just as applicable to ASP.NET MVC. Whilst there are a number of sections that only have relevance to ASP.NET web forms, it wasn’t a high proportion. If you have the same concern as I did, then ease up, this is definitely applicable to MVC developers too.
As per the title, this target audient is web security beginners. With this in mind, I wasn’t surprised to see the first topic provide rationales for, and examples of why, securing web applications is so important. I was, however, slightly surprised to see that chapter 2 educates on how the web works. I guess it’s a nice touch for beginners. Even for those proficient in the workings of HTTP, you will get shown packet –sniffing tools like fiddler.
As the book progresses, security threats are revealed one-by-one in the chapter they belong to. The first few are XSS and CSRF; two of the more common threats. Using the information provided, it is fairly easy to discern where your applications are susceptible to these threats, and Barry shows which tools in the .NET framework can be used to protect against them – in the case of preventing CSRF attacks, a custom module is created that you can add to your own applications.
Logging is a topic I found to be interesting, and from a security viewpoint his book has a good discussion about it. It ties in nicely with error handling and a valuable tip I’ve learnt is to never redirect (Response.Redirect) during error conditions. This tells and attacker he has hit a nerve.
During my studies with the Open University I’ve spent a wedge of time learning about encryption, hashing, certificates etc. Two of the related benefits to of reading this book are that I’ve reinforced that knowledge and learnt how to apply them using the .NET framework. I must admit the namespaces I had no clue existed before reading this book. But now I could encrypt data using symmetric or asymmetric algorithms combined with MAC’s IV’s and salts.
Further down the chapters there are sections dedicated to securing WCF applications, RIA applications – AJAX and Silverlight, securing XMl, and securing IIS. Additionally there is a very useful chapter titled Third Party Authentication. If you’ve seen OpenID, Windows Live or some other external online account provider and wanted to use them in your own sites, this book will get you going.
Finally there is a chapter for MVC. It’s the smallest chapter of the book, but from what I know it covers the essentials.
Other Good Features Of The Book
Credit to Barry D and his technical crew, there aren’t too many typos and grammar inaccuracies in the book. Also the sentences seem to flow quite well without any unnecessary big words.
If you want to learn more about security then you will be pleased with the links to other resources contained in the book.
Also, if you like to type along at home to get a feel for what’s going on then you’ll enjoy some of the examples provided
Do you know what? I think I this might be quite a good book. While limited to the topic of security, it covers a broad range of scenarios that you will come across when developing an ASP.NET application – be it web forms or MVC.
With some good examples, links to essential resources, and well explained concepts, I’d happily recommend this to any developers with a lack of real education in web security. I’d also further that by saying it’s an enjoyable read if you have an interest in security.