Friday 24 August 2012

5. Security


In this topic, I am going to write more about security and how you can build your applications securely.
We can do many things in terms of security. However, I am going to write the necessary security topics which need it for our applications.

When I say “security” here, it consist of
  1. Authentication and Authorization
  2. How you can prevent your application from hackers
Most of the developers have lack of experience in security model unless working in banking domain. Because, they don’t have much experience in security or did not build/involving the security or the applications build by them did not hacked by hackers yet. That is why we did not think about security at all.
We can see day to day many changes in modern technologies and in order to protect our applications from hackers we need to follow/implement the modern security models.

Our next question is, where can follow the modern security models?

I would suggest that everyone to refer the OWASP (The Open Web Application Security Project) website
to know modern security methodologies.

If you don’t have much time then I would suggest that to visit the following URLs’ to know quickly about the security.

The broad range of companies and agencies around the globe are also using the OWASP Top Ten, including Citibank, IBM, Sun Microsystems, Symantec and many others.

Let’s say we are going to build the Greenfield (the project which we build from scratch) project then first we should consider Authentication and Authorization in the first place.

Authentication and Authorization:

What is Authentication?
Authentication is the process of identification and validation of a user's credentials. So first we should identify from our business that who is going to use the applications.
We can set the different Authentication types depends upon business requirements.

What is Authorization?
Authorization is process to determine whether that user has access to a particular resource. Simply, who can access what type of resources?

Authorization will happen after Authentication.
Authentication and Authorization are two interrelated concepts, which form the core of security for .NET applications. The authentication and authorization processes in ASP.NET are very flexible, simple and can be implemented in the code. ASP.NET is not a standalone product. It is linked with IIS and is, in fact, a layer on top of IIS.

So, any request that comes into the ASP.NET process is first authenticated and authorized by IIS. In short, the ASP.NET process is completely unaware if any user has been denied access to any page by IIS. Several security authorities interact when the user raises a request for an ASP.NET page. You must get to know how these processes work in order to fully understand the ASP.NET system.

The ASP.NET Authentication modes are
  1. None (Custom)
  2. Windows
  3. Passport
  4. Forms
Best practices to choose which types of Authentication mode:
  1. If its public site/no sensitive information and any one can access the site then you no need any type of Authentication and set to None
  2. If you need to verify the users and users are part of your networks then set up Windows Authentication. For example, for intranet site and access only available for network accounts.
  3. If you need to verify the users and users are not part of your networks then set up Forms Authentication. For example, for internet site and access only available for who has the valid user name and password.
  4. If you would like to have a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites then go for Passport Authentication.
The ASP.NET Authorization modes are
  1. URL Authorization
  2. File Authorization
  3. Authorization based on ACLs
Authentication in IIS:
  1. Anonymous Authentication
  2. Basic Authentication
  3. Digest Authentication
  4. Integrated Windows Authentication
  5. Certificates Authentication

Please refer the below picture from Microsoft site.
Authentication and Authorization
Authentication and Authorization:

I am not going cover how to setup the above Authentication/Authorization modes practically as I don’t have much time. I may cover these if I get the time in the later my blog posts.

Please visit the following URLs’ to know more about the security

Until here, I talk about Authentication and Authorization and let’s talk about other security stuff.

How you can prevent your application from hackers:
As mention in the beginning of this post, please refer OWASP (The Open Web Application Security Project) website http://www.owasp.org

and

http://msdn.microsoft.com/en-us/library/ff648653.aspx to prevent your application from hackers.
And also refer the http://msdn.microsoft.com/en-us/library/ff649874 for preparing security checklist for your applications for your development team.

Summary:
  1. Decide which type of Authentication and Authorization need for your application.
  2. Please check necessary permissions needed on web and database servers and delete unnecessary permissions if it has.
  3. Use parameterized queries and store procedures for preventing the SQL injections.
  4. Strong validations, Encode the HTML output string and review potentially dangerous HTML tags and attributes for preventing XSS or CSS (Cross Site Scripting).
  5. Please use SSL certificates for your application for sensitive pages.
  6. Please use a single set of strong authentication and session management for preventing Broken Authentication and Session Management
  7. For direct references to restricted resources, the application needs to verify the user is authorized to access the exact resource they have requested. If they don’t have access then give the proper error message that access for this resources are not allowed. These prevent the Insecure Direct Object References.
  8. Setup and configure the customer error messages
  9. Please use unique token in the hidden field which sent with HTTP request to prevent Cross-Site Request Forgery(CSRF)
  10. Please install software patches and updates in a timely manner and configure the proper security configurations.
  11. Disable the directory listing for the web server virtual directories and set custom error 403.
  12. Setup customer error page for HTTP error code 404 and set
  13. Please put all the connection strings in the web.config file and these entries should be encrypted.
  14. Catch the exceptions and show friendly message to the customers
  15. Set <customErrors mode="RemoteOnly" xdt:Transform="Replace">
<error statusCode="404" redirect="404.htm"/>
</customErrors> in the web.config
16. Please prepare the security checklist for your team and make sure all the options should be ticked/implemented when application goes to production.

Saturday 4 August 2012

1. Coding standards & practices


In this post, I am going to explain about Coding standards and practices.

Coding standards:
Anyone can write the “working code” but very tricky to write “efficient code”.  Writing “efficient code” will take more time than writing “working code”. But “efficient code” is easily readable and maintainable. We always try to write efficient code.

However, writing “efficient code” is very hard as we usually focus on writing the “working code” due to time availability and other project factors.

Can we all sit with our project team members for an hour to discuss about these coding standards and come with agreed plan to follow up?

Naming Conventions and Standards:

Please use the following 3 naming conventions and standards.

Pascal case:  The first letter in the identifier and the first letter of each subsequent concatenated word are capitalized.
For example: HowToBecomeAnArchitect,
GetAllEmployers

Camel case: The first letter of an identifier is lowercase and the first letter of each subsequent concatenated word is capitalized.
For example: firstName,
lastName

Upper case: All letters in the identifier are capitalized. Use this convention only for identifiers that consist of two or fewer letters.
For example: Architect.UML.Usecase
Architect.Designpatterns.Creational.Singleton

Next question is about WWW (When, Where, Why) the above naming conventions?
  1. Please use Pascal notations for declaring class name, methods name…etc. except declaring variables and parameters.
  2. Please use Camel notations for declaring all parameters
  3. Please use Uppercase for declaring package and namespaces…etc.
Here is the example, shows useability for the above notations.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace Architect.Ready.Set.Go
{
class StartUp
{
static void Main(string[] args)
{
Console.WriteLine(GetHowToBecomeAnArchitectBlogURL());
Console.WriteLine(IsAnArchitect("Adam"));
Console.ReadKey();
}
private static string GetHowToBecomeAnArchitectBlogURL()
{
return "http://tobecomeanarchitect.wordpress.com";
}
private static bool IsAnArchitect(string firstName)
{
// Implement the code here
return true;
}
}
}
Other coding standards to follow up
  1. Use meaningful name for variables. For example : address, firstName, lastName, amount
  2. Use prefix ‘I’ for interface. For example, IPostPaid, IBusinessAccount, IPersonalInsurance
  3. Use namespace names for the below standard pattern <Company Name>.<Product Name>.<Top Level Module>.<Bottom Level Module>. For example, if you working for the company Amazon and product name is cloud services then your namespace should be like Amazon.CloudServices.Hosting.ClientServices
  4. A method should contain 1-20 lines only. If its exists more than 20 lines then split into two methods.
  5. Use constant variables instead of declaring hardcoded value. For example: public const decimal INTEREST_RATE = 6.245;
  6. Use enum for declaring group of constants. For example:
enum AccountType
{
Prepaid,
PostPaid,
AsYouGo,
Flexi
}
7. Use comments in the code wherever it’s necessary.
8. #region for specifying the block of code. For example,
#region Calculation definition
public class Calculation
{
// method implementation
}
#endregion
9. Use a positive connotation for Boolean types. For example: IsItRegisteredForInternetBanking, IsItAccountIsActive.
10. Please use meaningful name for class name, file name & these length should be less than 60 characters.

Coding practices:

The some of the coding practices are
  1. Please try to write the code which can be easily maintainable. We can describe many ways for this. Let’s say, you are try to implement method inside your class or file. If you see the same method going to use for other classes or files then you can move into common methods. So that everyone can use it, reduce the time and can update in one place if you need to change the method.
  2. Use exceptions (try-catch) where ever it’s necessary and use closing connection string, file handlers…etc. in the finally block.
  3. Write the code in the numerous methods and each method does the one job at a time. For example, Let’s say, you are writing registration page then you can split your methods like
Private void SaveRegistrationdetails(Customer customer)
{
// implement method here
}
Private void SendActivationEmail(string emailaddress)
{
// implement method here
}
I am not going to write all the details here. For more information please visit the following URLs’

http://msdn.microsoft.com/en-us/library/ms229042(Design Guidelines for Developing Class Libraries on Microsoft site).
http://www.amazedsaint.com/2010/11/top-6-coding-standards-guideline.html

Please try to use the coding standards & good practices for your programming as much as you can.

Conclusions:
  1. Prepared the coding standards documentation for your company and use it for your IT development. Please ask everyone to follow these standards including new starters.
  2. Prepared the deployment documentation & scripts for your IT development & it for deploying the packages on live.
  3. Please use any source version control software (which your company adopt) to maintain the code.  For more information regarding source version, please visit the following URLs’ and