This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient.
This guide helps you build hack-resilient applications. A hack-resilient application is one that reduces the likelihood of a successful attack and mitigates the extent of damage if an attack occurs. A hack-resilient application resides on a secure host (server) in a secure network and is developed using secure design and development guidelines.
Web application security must be addressed across the tiers and at multiple layers. A weakness in any tier or layer makes your application vulnerable to attack. Figure 1 shows the scope of the guide and the three-layered approach that it uses: securing the network, securing the host, and securing the application. It also shows the process called threat modeling, which provides a structure and rationale for the security process and allows you to evaluate security threats and identify appropriate countermeasures. If you do not know your threats, how can you secure your system?
The guide addresses security across the three physical tiers. It covers the Web server, remote application server and database server. At each tier, security is addressed at the network layer, host layer, and application layer. Figure 1 also shows the configuration categories that the guide uses to organize the various security configuration settings that apply to the host and network, and the application vulnerability categories, used to structure application security considerations.
The guide is divided into five parts. The aim is to provide a logical partitioning, which will help you to more easily digest the content.
Part I, Introduction to Threats and Countermeasures
This part identifies and illustrates the various threats facing the network, host, and application layers. By using the threat modeling process, you can identify the threats that are relevant to your application. This sets the stage for identifying effective countermeasures. This part includes:
This guide helps you build hack-resilient applications. A hack-resilient application is one that reduces the likelihood of a successful attack and mitigates the extent of damage if an attack occurs. A hack-resilient application resides on a secure host (server) in a secure network and is developed using secure design and development guidelines.
Web application security must be addressed across the tiers and at multiple layers. A weakness in any tier or layer makes your application vulnerable to attack. Figure 1 shows the scope of the guide and the three-layered approach that it uses: securing the network, securing the host, and securing the application. It also shows the process called threat modeling, which provides a structure and rationale for the security process and allows you to evaluate security threats and identify appropriate countermeasures. If you do not know your threats, how can you secure your system?
The guide addresses security across the three physical tiers. It covers the Web server, remote application server and database server. At each tier, security is addressed at the network layer, host layer, and application layer. Figure 1 also shows the configuration categories that the guide uses to organize the various security configuration settings that apply to the host and network, and the application vulnerability categories, used to structure application security considerations.
The guide is divided into five parts. The aim is to provide a logical partitioning, which will help you to more easily digest the content.
Part I, Introduction to Threats and Countermeasures
This part identifies and illustrates the various threats facing the network, host, and application layers. By using the threat modeling process, you can identify the threats that are relevant to your application. This sets the stage for identifying effective countermeasures. This part includes:
- Foreword by Mark Curphey
- Foreword by Joel Scambray
- Foreword by Erik Olson
- Foreword by Michael Howard
- Introduction
- Solutions at a Glance
- Fast track
- Chapter 1, Web Application Security Fundamentals
- Chapter 2, Threats and Countermeasures
- Chapter 3, Threat Modeling
Part II, Designing Secure Web Applications
This part provides the guidance you need to design your Web applications securely. Even if you have an existing application, you should review this section and then revisit the concepts, principles, and techniques that you used during your application design. This part includes:
- Chapter 4, Design Guidelines for Secure Web Applications
- Chapter 5, Architecture and Design Review
Part III, Building Secure Web Applications
This part helps you to apply the secure design practices and principles covered in the previous part to create a solid and secure implementation. You'll learn defensive coding techniques that make your code and application resilient to attack. Chapter 6 presents an overview of the .NET Framework security landscape so that you are aware of the numerous defensive options and tools that are at your disposal. Part III includes:
This part helps you to apply the secure design practices and principles covered in the previous part to create a solid and secure implementation. You'll learn defensive coding techniques that make your code and application resilient to attack. Chapter 6 presents an overview of the .NET Framework security landscape so that you are aware of the numerous defensive options and tools that are at your disposal. Part III includes:
- Chapter 6, .NET Security Fundamentals
- Chapter 7, Building Secure Assemblies
- Chapter 8, Code Access Security in Practice
- Chapter 9, Using Code Access Security with ASP.NET
- Chapter 10, Building Secure ASP.NET Pages and Controls
- Chapter 11, Building Secure Serviced Components
- Chapter 12, Building Secure Web Services
- Chapter 13, Building Secure Remoted Components
- Chapter 14, Building Secure Data Access
Part IV, Securing Your Network, Host and Application
This part shows you how to apply security configuration settings to secure the interrelated network, host, and application levels. Rather than applying security randomly, you'll learn the reasons for the security recommendations. Part IV includes:
This part shows you how to apply security configuration settings to secure the interrelated network, host, and application levels. Rather than applying security randomly, you'll learn the reasons for the security recommendations. Part IV includes:
- Chapter 15, Securing Your Network
- Chapter 16, Securing Your Web Server
- Chapter 17, Securing Your Application Server
- Chapter 18, Securing Your Database Server
- Chapter 19, Securing Your ASP.NET Application and Web Services
- Chapter 20, Hosting Multiple ASP.NET Applications
Part V: Assessing Your Security
This part provides you with the tools you need to evaluate the success of your security efforts. It shows you how to evaluate your code and design and also how to review your deployed application, to identify potential vulnerabilities:
This part provides you with the tools you need to evaluate the success of your security efforts. It shows you how to evaluate your code and design and also how to review your deployed application, to identify potential vulnerabilities:
- Chapter 21, Code Review
- Chapter 22, Deployment Review
Checklists
This section contains printable, task-based checklists, which are printable quick-reference sheets to help you turn information into action. This section includes the following checklists:
This section contains printable, task-based checklists, which are printable quick-reference sheets to help you turn information into action. This section includes the following checklists:
- Checklist: Architecture and Design Review
- Checklist: Security Review for Managed Code
- Checklist: Securing ASP.NET
- Checklist: Securing Enterprise Services
- Checklist: Securing Web Services
- Checklist: Securing Remoting
- Checklist: Securing Data Access
- Checklist: Securing Your Network
- Checklist: Securing Your Web Server
- Checklist: Securing Your Database Server
