In this topic, I am going to write more about security and how you can build your applications securely.
We can do many things in terms of security. However, I am going to write the necessary security topics which need it for our applications.
When I say “security” here, it consist of
- Authentication and Authorization
- How you can prevent your application from hackers
Most of the developers have lack of experience in security model unless working in banking domain. Because, they don’t have much experience in security or did not build/involving the security or the applications build by them did not hacked by hackers yet. That is why we did not think about security at all.
We can see day to day many changes in modern technologies and in order to protect our applications from hackers we need to follow/implement the modern security models.
Our next question is, where can follow the modern security models?
I would suggest that everyone to refer the OWASP (The Open Web Application Security Project) website
to know modern security methodologies.
If you don’t have much time then I would suggest that to visit the following URLs’ to know quickly about the security.
The broad range of companies and agencies around the globe are also using the OWASP Top Ten, including Citibank, IBM, Sun Microsystems, Symantec and many others.
Let’s say we are going to build the Greenfield (the project which we build from scratch) project then first we should consider Authentication and Authorization in the first place.
Authentication and Authorization:
What is Authentication?
Authentication is the process of identification and validation of a user's credentials. So first we should identify from our business that who is going to use the applications.
We can set the different Authentication types depends upon business requirements.
What is Authorization?
Authorization is process to determine whether that user has access to a particular resource. Simply, who can access what type of resources?
Authorization will happen after Authentication.
Authentication and Authorization are two interrelated concepts, which form the core of security for .NET applications. The authentication and authorization processes in ASP.NET are very flexible, simple and can be implemented in the code. ASP.NET is not a standalone product. It is linked with IIS and is, in fact, a layer on top of IIS.
So, any request that comes into the ASP.NET process is first authenticated and authorized by IIS. In short, the ASP.NET process is completely unaware if any user has been denied access to any page by IIS. Several security authorities interact when the user raises a request for an ASP.NET page. You must get to know how these processes work in order to fully understand the ASP.NET system.
The ASP.NET Authentication modes are
- None (Custom)
- Windows
- Passport
- Forms
Best practices to choose which types of Authentication mode:
- If its public site/no sensitive information and any one can access the site then you no need any type of Authentication and set to None
- If you need to verify the users and users are part of your networks then set up Windows Authentication. For example, for intranet site and access only available for network accounts.
- If you need to verify the users and users are not part of your networks then set up Forms Authentication. For example, for internet site and access only available for who has the valid user name and password.
- If you would like to have a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites then go for Passport Authentication.
The ASP.NET Authorization modes are
- URL Authorization
- File Authorization
- Authorization based on ACLs
Authentication in IIS:
- Anonymous Authentication
- Basic Authentication
- Digest Authentication
- Integrated Windows Authentication
- Certificates Authentication
Please refer the below picture from Microsoft site.
I am not going cover how to setup the above Authentication/Authorization modes practically as I don’t have much time. I may cover these if I get the time in the later my blog posts.
Please visit the following URLs’ to know more about the security
Until here, I talk about Authentication and Authorization and let’s talk about other security stuff.
How you can prevent your application from hackers:
As mention in the beginning of this post, please refer OWASP (The Open Web Application Security Project) website http://www.owasp.org
and
http://msdn.microsoft.com/en-us/library/ff648653.aspx to prevent your application from hackers.
And also refer the http://msdn.microsoft.com/en-us/library/ff649874 for preparing security checklist for your applications for your development team.
Summary:
- Decide which type of Authentication and Authorization need for your application.
- Please check necessary permissions needed on web and database servers and delete unnecessary permissions if it has.
- Use parameterized queries and store procedures for preventing the SQL injections.
- Strong validations, Encode the HTML output string and review potentially dangerous HTML tags and attributes for preventing XSS or CSS (Cross Site Scripting).
- Please use SSL certificates for your application for sensitive pages.
- Please use a single set of strong authentication and session management for preventing Broken Authentication and Session Management
- For direct references to restricted resources, the application needs to verify the user is authorized to access the exact resource they have requested. If they don’t have access then give the proper error message that access for this resources are not allowed. These prevent the Insecure Direct Object References.
- Setup and configure the customer error messages
- Please use unique token in the hidden field which sent with HTTP request to prevent Cross-Site Request Forgery(CSRF)
- Please install software patches and updates in a timely manner and configure the proper security configurations.
- Disable the directory listing for the web server virtual directories and set custom error 403.
- Setup customer error page for HTTP error code 404 and set
- Please put all the connection strings in the web.config file and these entries should be encrypted.
- Catch the exceptions and show friendly message to the customers
- Set <customErrors mode="RemoteOnly" xdt:Transform="Replace">
<error statusCode="404" redirect="404.htm"/>
</customErrors> in the web.config
16. Please prepare the security checklist for your team and make sure all the options should be ticked/implemented when application goes to production.