Did you know that every time you submit a Web Forms page it sends a hash-based message authentication code with it so that the website can ensure the View State hasn’t been tampered with?
Or that every time you use the MVC Razor syntax to emit anything to the page it HTML encodes it? Unless, of course, you’re using the Html.Raw helper – oh and that none of that does you any good in the JavaScript and CSS contexts or the HTML attribute context?
Were you aware that ASP.NET limits the size of the request you can make in order to mitigate the risk of a denial of service attack? And, for that matter, that you can easily tune this setting in the web.config to either decrease (more secure) or increase (less secure) the max size of the request?
If you’re reading this blog then chances are this may be something you’re au fait with already, but for many people these features are indeed “secrets” – magic stuff within ASP.NET that’ll be news to them. Indeed when 67% of ASP.NET websites have serious (but simple) security misconfigurations. It’s fair to say that there’s a great swathe of developers out there who could benefit from picking up some fundamental security tips.
This is why today, I’m very happy to launch my latest Pluralsight course: ASP.NET Security Secrets Revealed.
Who’s the course for?
This is my third Pluralsight course so let me explain where it fits into the mix.
In the beginning (ok, in April last year), there was the OWASP Top 10 Web Application Security Risks for ASP.NET. This takes the OWASP Top 10 and aligns each and every risk to mitigations in ASP.NET. For example, in part 1 on injection I cover how to create a parameterised SQL query in C# and most importantly, here’s how it gets exploited if you don’t. It’s over 8 hours of training in a very structured and somewhat formal approach and it’s particularly valuable for developers working with security teams that test apps against the OWASP guidelines.
Next came Hack Yourself First: How to go on the Cyber-Offense which came at security from an entirely different angle. Now we’re looking at things from the hacker’s perspective rather than the developer’s which means spending a lot of time in the browser and using various tools to exploit the system. Importantly, it’s technology agnostic so it’s equally relevant to your PHP and Java developers as it is your ASP.NET guys. It’s also over 9 hours so it’s a biggie, but it’s also very popular having hit the Pluralsight Top 10 and earned me a shiny crystal mic in the process.
The Security Secrets course takes a very different tack to both the previous courses; firstly, it’s short (relatively speaking) – only about 3 and a half hours. Secondly, it’s lots of small pieces of information that can be consumed in any order. Each lesson averages only a few minutes in duration and you can happily jump down and watch something at the end without being disadvantaged by not having watched all the prior pieces. Thirdly, I wanted the content to be really easily consumable such that, well, just read the course overview:
ASP.NET Security Secrets Revealed is all about looking at a broad range of security features within the framework in small bites of easily consumable information.
Finally, and perhaps most importantly, I wanted to fill a whole heap of gaps that I just wasn’t able to tackle in the previous 17 hours of material either because it didn’t fit into the OWASP Top 10 definitions or it was .NET code-level stuff that wasn’t suitable for the technology agnostic “Hack Yourself” course.
Let me share what I cover in the modules.
What’s in the box
There are only 5 modules in this course and each one tackles a different aspect of ASP.NET security:
- Configuration: This is living in the web.config and going through a whole heap of settings that apply to Web Forms, MVC, Web API and basically anything else related to the ASP.NET ecosystem. We’re talking about getting custom errors right (remember the 67% figure!), how cookies are secured for sessions and when being set in code and a bunch of other stuff that probably will be new to most ASP.NET devs.
- Membership, Identity and Roles: This is a tricky one in that there have been so many changes in recent versions of the Visual Studio templates so I’ve focussed primarily on the common stuff. This is things like configuring forms auth, how accounts are persisted in the database, configuring auth cookies and using the role provider. They’re the fundamentals of account management in ASP.NET and they’re things I regularly see people build from scratch with great effort (and often great insecurity) when it’s sitting right there in the box.
- MVC: There’s a heap of security goodness right from the get-go with MVC and it’s dead easy to kick off from a “secure by default” position. Automatic output encoding, handy attributes for things like anti-forgery tokens and forcing SSL plus some little tips to avoid risks like HTTP verb tampering all make the cut. Many people probably get these features without even realising the advantage it’s giving them (such as Razor’s output encoding), so this is a really useful module for understanding how MVC gives you a helping hand on the security front.
- Web Forms: Remember this? It might seem like everyone is doing MVC these days but there’s still a heap of Web Forms out there and it actually has some really nifty features that you don’t get in the newer ASP.NET paradigms, particularly with regards to tamper-proofing the app. For example, I talk about event validation and how the View State has an HMAC to prohibit tampering although it doesn’t have encryption – but you can easily enable it. In fact it was interesting going back to Web Forms after having spent so much time in MVC in recent years – there’s actually some pretty neat security stuff in there!
- General Security Principles and Tools: I also wanted to touch on a bunch of cross-cutting security principles and other useful tools. For example, there are many times when you need to manually perform HTML output encoding or output encode for a different context (CSS, CSS, HTML attributes, etc). Then there are some great tools to make your security life easier, such as fellow MVP André N. Klingsheim’s NWebsec and my own ASafaWeb (if I do say so myself!)
With each of these modules, I wanted people to be able to take just a few minutes and learn something useful. It’s information they can consume quickly while waiting for a coffee, taking a few minutes break or even during a moment of quiet contemplation in the smallest room in the house (c’mon, playing Angry Birds in there isn’t really going to teach you anything useful!)
Coming soon…
I’m enormously happy with what I’ve been producing in these Pluralsight courses and by all accounts, you are too (because you’ve all got subscriptions, right?!). Both those previous courses are rating 4.8 out of 5 stars across hundreds of ratings and they’ve both stuck well and truly down in the Top 100 despite the Puralsight catalogue now rocketing through 1,000 courses.
But I’m just warming up. I’ve got several more courses in planning right now that target either entirely different audiences or entirely different aspects of software security. A couple of them in particular I reckon are absolute rippers so with “Security Secrets” now fully baked and live, it’s time to jump straight into the new stuff.
What do you want to see? If you’ve got ideas or suggestions, do hit me up with them. Much of what I write, speak about or produce training material on coms from community feedback so do keep putting those suggestions forward and telling me what you’d like to see more of in the wonderful world of security.