Security: a many pronged word
Security. This word has many meanings, depending on how you look at things. For some people security means that others should
not be able to see the data you are sending or storing. For some others this means making sure you know who is using
your system and determining what actions they can perform with it. Sometimes it means ensuring the data cannot be changed
in transit. Here we will look at all the different meanings of security and discuss 10 rules you should always adhere
- Security testing is different
- Applying STRIDE
- The Ten Immutable Laws of Security
So how do you keep prying eyes from your data? Encrypting data ensures that only the intended receiver of the data can understand
it. So how does this work? We will look at symetric keys versus asymtric ones. We will also look at the most used encryption
algorighms, what role certificates play and describe how TLS and HTTPS work.
- What is Encryption?
- Understanding symmetric keys
- And what about asymmetric keys
- Hybrid encryption
- Properly store passwords with hashing and salt
- What are digital signatures?
- Certificates, SSL, TLS and HTTPS
OWASP web security headers
OWASP defined a couple of special security headers which allow you some control over what the browser will do with your
content. In this chapter we will discuss two of these headers.
- Understanding HTTP headers and their role in security
- Setting headers in IIS and ASP.NET Core
- HTTP Strict Transport Security header
- HSTS options
- HTTP Public Key Pinning
- Understanding TOFU and how to mitigate
Understanding Claims-Based Security
So what will you allow your user to do? This most-likely depends on the role the user has in your organisation. This role
is now represented with claims. In this chapter you will get a better understanding why claims are better than roles,
and how claims are transmitted in a secure way.
- Representing the user
- Introducing claims based security
- Understanding tokens and their representation on the net
- Using Claims in .NET
Modern web authentication and authorization
In the modern web we all want to share stuff. But how do you safely allow one web site to access resources from another web
site? OAuth2 is the current standard way in which you can implement this. Authentication is hard, so better left to the
experts. With OpenID Connect you can delegate authentication to an identity provider (such as Facebook, Azure AD, Identity
Server). OAuth and OpenID Connect are protocols that are not that easy to understand. Until the end of this chapter...
- The Internet and a way of sharing
- Introducing OAuth 2
- OpenID Connect: Adding sign-in to OAuth2
- OAuth fundamentals: Authorization Code Grant, Implicit Grant and Client Credential Grant
- Implementing OpenID Connect web sign-in
- Implementing Hybrid Flow
- Deeper understanding Hybrid Flow
Protecting a Web-API with OAuth2
Modern web sites and mobile appls consume REST services. You can use OAuth with OpenID Connect to authenticate users, after
which you can use claims to authorize resources stored in a web API.
- Protecting a Web API's resources
- Adding permissions to the server side
- Requesting permissions at the client side
- Using the Active Directory Authentication Library (ADAL)
- ADAL Session management
- User consent
Web site security threats and defences
To better protect yourself against attacks, you should first learn what kind of attacks are common.
Once you understand these attacks we can look at defending against them.
- OWASP - Top 10 security issues
- Injection - Never trust user input!
- Broken authentication
- Sensitive data exposure
- XML External Entities (XEE)
- Broken Access Control
- Security Misconfiguration
- Cross-site scripting (XSS)
- Insecure Deserialization
- Using components with known vulnerabilities
- Insufficient Logging & Monitoring
- Extra: Cross Site request forgery (CSRF)
Security best practices
How can I make my application more secure? Start by applying security best practices!
Simply applying these security best practices will prevent many common exploits.
- Never trust input
- Always properly encode output
- Apply good access control
- Run with least privilege
- Securely store (or better yet - not) secrets
- Don't tell the hacker anything
- Allow long password/passphrases
- Default to secure configuration
- Generate good random numbers
Cyber security is becoming an increasingly important topic for organizations. The quantity and importance of data entrusted
to web applications is growing, and defenders need to learn how to secure them. Imagine your organization making the
news, not because of some new world-changing product, but because of a data-leak containing all your customer's data,
including personal information and credit card data! As a modern web developer mastering these skills is important because
you cannot afford not to!
This course takes you through the different security threats and defenses and learns you hands-on how to apply them to
ASP.NET MVC and ASP.NET Web API. Among others, you learn how to authenticate with OpenID Connect and Azure AD, protect
your API with OAuth2 and secure your company data with proper encryption techniques. This course provides in-depth, hands-on
experience securing your web-based applications.
This course is meant for developers that have experience with ASP.NET MVC and want to make the world a safer place through
applied security best practices.