Security Updates, News, and Resources

SecureASP.NET

LANGUAGES: ALL

ASP.NET VERSIONS: 2.0

Security Updates, News, and Resources

By Don Kiely

One of the nice things about being a Microsoft MVP withthe Visual Developer - Security competency is that I get exposed to a lot ofcool and scary security information and updates. There have been a lot ofthings come my way in the last month that will be of interest to anyoneconcerned about Web application and general security, so I m going to use thiscolumn to clear my desk of important stuff that doesn t yet justify a wholecolumn.

ASP.NET and Shared Hosting

ASP.NET was practically designed for creating Web appsthat can peacefully and safely co-exist on shared servers. Version 1.x of the.NET Framework made it possible and version 2.0 made it almost easy, butproviding a secure environment still takes some work and diligence by thehosting company. Kevin Kenny on his blog (http://blog.zygonia.net/PermaLink,guid,7e068a80-e08b-44a9-83b0-efe7e4223ba1.aspx)recently told the story of some scary things he found on his shared host: Hecould read web.config and other files with almost no restriction!

He makes one minor error in the blog entry, saying that usingan OLE DB .NET provider requires full trust. It doesn t, but it does requirethe deadly UnmanagedCode permission that lets code call COM objects and othercode outside the safe CLR environment. Any code that has this permission may aswell have full trust.

Security Training and other Resources

Microsoft s Brian Goldfarb recentlyblogged with a list of great security resources for ASP.NET developers (http://blogs.msdn.com/bgold/archive/2006/02/27/540264.aspx).Most importantly he points to some security training modules published byMicrosoft s Channel 9 folks (http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.SecurityTrainingModules).The only module up as I write this is for Input and Data Validation, but thelist looks interesting.

The Web Application Security Engineering Index link (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WebAppSecurityEngIndex.asp)is a collection of some of the first material that will no doubt increase assecurity issues become increasingly important. As a Civil Engineer byeducation, I m convinced that software security is an area that is ripe fortreatment with a disciplined engineering approach. Not the loose kind ofsoftware engineering practiced all too often these days, but the disciplinedeveloped in the engineering profession for hundreds of years.

A great place to start for a security code review is whatBrian calls the security Cheat Sheet, the Patterns and Practices Group s SecurityQuestion List: ASP.NET 2.0 (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGQuestionList0001.asp).

Threat Modeling Torpedo

This item will only be of interest to you if you re intothreat modeling or if you ve heard mention of it enough times to be curiousabout what it s all about. Microsoft recently released beta 2 of version 2.0 ofits Microsoft Threat Analysis & Modeling, code named ACE Torpedo. Thisinteresting tool helps you take a systematic look at the security problems inan application of any type that you re developing. It isn t for the faint ofheart or threat modeling novices, but with a little learning and adetail-oriented demeanor you may end up with much more secure applications. Youcan download it (http://www.microsoft.com/downloads/details.aspx?familyid=aa5589bd-fb2c-40cf-aec5-dc4319b491dd&displaylang=en)or simply Google Microsoft Threat Analysis & Modeling to find it if thelink happens to go bad.

I still haven t decided whether the tool will really helpmake applications more secure or if it will just help you look like you aremore secure, but it s cool nonetheless.

Aaron Margosis Is Blogging Again!

Microsoft s own least privilege guru is blogging again! (http://blogs.msdn.com/aaron_margosis/default.aspx)This is one of the best blogs around on running Windows using a Least-privilegeUser Account (LUA), as it s called in Vista. Aaron haswritten some nice utilities to help run and survive as a non-administrativeaccount, and he has a clear way of explaining how to accomplish things and howto develop more secure apps. His ongoing series Fixing LUA Bugs ismandatory reading. He s currently working on a tool for eradicating LUA bugs,called LUA BugLight. I ve seen him do a demo, and it will be a sweet securitytool when it s done.

Code Room Hits Las Vegas

It s mildly cheesy, but fun nonetheless. The Code Room isan MSDN TV feature, and their most recent episode dramatizes asomewhat-real-world hacking binge on a Las Vegascasino and the Security A Team that rides to therescue (http://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20060223CodeRoom3/manifest.xml).

DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office. He writes regularly for several trade journals,and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.