A Practical Approach to Threat Modeling. Ecurity is a hot topic these days. It is as if developers and system designers are fighting a never ending war against those who desire to damage hardware, compromise system availability, steal data, and tarnish hard-earned client trust. And as if malicious threats weren't enough, we must also protect ourselves from unintentional damages inflicted by accidental removal or modification of data. The scope of this effort ranges from entire enterprise networks and the Internet itself down to a specific line of code that may handle the formatting of a string.
For the benefit of this article, the entirety of this scope will be described as a "system. " Some tactics can be employed to secure a system without much analysis, such as implementing a firewall on the network, implementing logins to restrict system access, employing role-based security to control which aspects of the system a user can access, and encrypting sensitive data such as social security numbers. CLR Inside Out: Using Strong Name Signatures. CLR Inside Out Using Strong Name Signatures Mike Downen Strong name signatures (and signing in general) are a key facet of Microsoft® .NET Framework security.
But regardless of how well designed .NET signatures may be, they won’t offer the maximum benefit if you don’t know how to use them properly. This installment of CLR Inside Out talks about strong names, strong name signatures, and how to use them. A Short Refresher Digital signatures are used to verify the integrity of data being passed from the originator (the signer) to a recipient (the verifier). In some cases, when some additional infrastructure is in place, digital signatures can also be used to reliably learn the name of the signer, and to ensure some chunk of data (a message, some code, or so on) has not been modified after the signer created the signature for the data. Various mechanisms are used to implement digital signatures. Strong-Name Signing Why Use Strong Names? What Strong Names Can’t Do Working with Strong Names.
Exploring the .NET Framework 4 Security Model. Bonnie.NET Standard Edition - .NET Framework Cryptograhic API. Building a Single Sign On Provider Using ASP.NET and WCF: Part 4. Building a Single Sign On Provider Using ASP.NET and WCF: Part 4 This is the fourth and final article in a four part series on building a single sign on (SSO) provider using the ASP.NET platform. Make sure to check out part 1, part 2 and part 3. Source Code Implementing a Single Signon Provider This is all a rehash since I've covered each point in detail to this point, but I'd like to tie everything together at this point and provide the source code.
When an unauthenticated client requests a secured resource from the application that client is redirected to an authentication page. Service Implementation We're using the FormsAuthentication API within WCF to manage identity [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)] public class SSOService : ISSOService, ISSOPartnerService #region ISSOService Members public SSOToken RequestToken() SSOToken token = new SSOToken Token = string.Empty, Status = "DENIED" token.Status = "SUCCESS"; return token; try catch. Steve Sanderson’s blog » Blog Archive » Prevent Cross-Site Reque. Cross-site scripting (XSS) is widely regarded as the number one security issue on the web. But since XSS gets all the limelight, few developers pay much attention to another form of attack that’s equally destructive and potentially far easier to exploit.
Your application can be vulnerable to cross-site request forgery (CSRF) attacks not because you the developer did something wrong (as in, failing to encode outputs leads to XSS), but simply because of how the whole Web is designed to work. Scary! How CSRF works So, what’s it all about? Public class UserProfileController : Controller { public ViewResult Edit() { return View(); } public ViewResult SubmitUpdate() { // Get the user's existing profile data (implementation omitted) ProfileData profile = GetLoggedInUserProfile(); // Update the user object profile.EmailAddress = Request.Form["email"]; profile.FavoriteHobby = Request.Form["hobby"]; SaveUserProfile(profile); ViewData["message"] = "Your profile was updated This is all very normal. ASP.Net MVC Membership Starter Kit - Home. Developer Highway Code. Patterns & practices Improving Web Services Security Guide - Altairis Identity Toolkit - Release: 1.0.0.
Using SQL trusted Connections with ASP.NET. Hard coding passwords into your application or your web site is a bad thing. Microsoft SQL has the ability to use "trusted connections" to authenticate your database connection against your login name, so no passwords are ever sent to SQL server, just your login name and an authentication token. But once you come to use this feature in asp.net you run into problems, because of how asp.net works and the user it runs as. In a default configuration asp.net runs as (or rather, in the context of) the ASPNET user on the local machine. If your SQL server is on the same machine as your asp.net pages then trusted connections are easy, simply grant access and appropriate permissions to the ASPNET user within SQL and change your connection string to use Integrated Security=SSPI or Trusted_Connection=true depending on your connection string style.
The problem arises when your SQL server and your IIS/asp.net server are on separate machines, which is a typical setup. Impersonation <system.web> ... Web Services Security Checklist. I am a big fan of checklists in any relatively complex system that has to be delivered under time crunch, like say Web Services, the checklist can save your bacon. If you hired me to work on your project I would use this Web Services Security Checklist to verify standards, mechanisms, and implementation throughout the SDL My partner Pat Christiansen likes to say that architecture artifacts are for communication as much as for engineering. A checklist is a simple artifact that helps ensure consistency throughout architecture, threat modeling, security design requirements, and building security implementation. It is easily understood. The Web Services Security Checklist I use has a list of security architecture concerns and then those are mapped across each interaction point so you can specify the Service Requester and Service Provider responsibilities at each point in the system.
Microsoft's Patterns and Practices WCF Security Scenarios. Main Page.