Security: a many pronged word
Security. This word has many meanings, depending on how you look at things. For some people
security means that others should not be able to see the data you are sending or storing. For some
others this means making sure you know who is using your system and determining what actions they
can perform with it. Sometimes it means ensuring the data cannot be changed in transit. Here we will
look at all the different meanings of security and discuss 10 rules you should always adhere to.
- Security testing is different
- Applying STRIDE
- The Ten Immutable Laws of Security
So how do you keep prying eyes from your data? Encrypting data ensures that only the intended receiver
of the data can understand it. So how does this work? We will look at symetric keys versus asymtric ones.
We will also look at the most used encryption algorighms, what role certificates play and describe how TLS
and HTTPS work.
- Symetric keys
- Asymetric keys
- Digital Signatures
- TLS and HTTPS
Authentication is about identifying who the user of the system is. In this chapter we look
at the different authentication mechanisms and their application.
- Knock knock... Who's there?
- Windows integrated
- Username and password
- Impersonation and delegation
Once you know who the user is, you can start to enforce rules on who can do what.
These days the main way of implementing authorization is role or claims based.
- Role based security
- Claims based security
Modern web authentication and authorization
OAuth and OpenID Connect are protocols that allow authorization to take place between different
parties, but they are not that easy to understand. Until the end of this chapter...
- Delegating authentication to FaceBook, Twitter, etc...
- Understanding OAuth 2, OpenID Connect
- OAuth fundamentals: Authorization Code Grant, Implicit Grant and Client Credential Grant
Using Azure Active Directory to add authorization to your application
Active directory allows you to logon to the enterprise, but these days people inside the
organization are not necessarily using devices known to your enterprise, such as smart phones.
Azure Active Directory is just the thing, having built-in OpenID Connect and OAuth.
Here we will look at protecting your web site and web API resources using AAD.
- What is Azure Active Directory?
- Registering your applications and apps
- Using the Active Directory Authentication Library (ADAL)
- Protecting a WebAPI service with OAuth 2
Web site security threats and defences
To better protect yourself against attacks, you should first learn what kind of attacks
are common. Once you understand these attacks we can look at defending against them.
- OWASP - Top 10 security issues
- Injection - Never trust user input!
- Broken authentication and session management
- Cross-site scripting (XSS)
- Insecure direct object references
- Security Misconfiguration
- Sensitive data exposure
- Missing Function Level Access Control
- Cross Site request forgery (CSRF)
- Using components with known vulnerabilities
- Unvalidated Redirects and Forwards
Security best practices
How can I make my application more secure? Start by applying security best practices!
Simply applying these security best practices will prevent many common exploits.
- Good access control
- Running with least privilege
- Storing (or better yet - not) secrets
- Don't tell the hacker anything
- Allow long password/passphrases
- Disable tracing and debugging before deploying ASP.NET apps
- Generating good random numbers
- Understanding Canonical representations
Cyber security is becoming an increasingly important topic for organizations.
The quantity and importance of data entrusted to web applications is growing,
and defenders need to learn how to secure them. Imagine your organization making the
news, not because of some new world-changing product, but because of a data-leak containing
all your customer's data, including personal information and credit card data!
As a modern web developer mastering these skills is important because you cannot afford
This course takes you through the different security threats and defenses and learns you hands-on how to apply them to
ASP.NET MVC and ASP.NET Web API. Among others, you learn how to authenticate with OpenID Connect and Azure AD, protect
your API with OAuth2 and secure your company data with proper encryption techniques. This course provides in-depth,
hands-on experience securing your web-based applications.
This course is meant for developers that have experience with ASP.NET MVC and want to make the world a safer place through
applied security best practices.