|
VSLive! Speaker Interview — Keith Brown Security Challenges with ASP.NET 2.0 Since security aspects of ASP.NET are challenging, we asked Keith Brown of Pluralsight, a .NET training and content development company, to share his insight. Brown is speaking on this topic at VSLive! Orlando (click here for information on Brown's sessions, "Attack and Defense: Securing ASP.NET 2.0 Applications" and "Inside ASP.NET 2.0 Security Features," plus the overall ASP Live! agenda). FTPOnline: What are the most common—and most debilitating—security threats that you see your clients face? Brown: SQL injection vulnerabilities are really nasty, especially when combined with folks who insist on connecting to their databases with very high privilege (think SA). Cross-site scripting (XSS) is probably much more prevalent, though, given its often subtle nature. XSS can be surprisingly dangerous as well. FTPOnline: What are the most effective security support measures in ASP.NET 2.0? Brown: The XSS prevention feature, called PageValidation, is useful in that it points out that many types of input can be dangerous. But at the same time it can be misleading because a lot of developers rely on these sorts of infrastructure features to save them. Earlier versions of ASP.NET had bugs in this feature that attackers found and documented only months after the product shipped; I'm confident that the bad guys know how to get around PageValidation, but they aren't talking about it. Developers shouldn't get too comfortable with features like these. FTPOnline: How do they mitigate the threats? Brown: The first step is acknowledging that you have a problem. The second step is learning. Learn about existing threats, and try to spot attack patterns to develop an intuition for what an attacker looks for. Learn principles of secure coding and design. Begin building a threat model for your system; this is a good exercise. For one thing, it gets you thinking like an adversary, which is healthy. FTPOnline: What should developers do to avoid such threats from the outset? Brown: Education is key. Every developer on the team needs to learn basic secure coding techniques, most of which hinge around respecting user input: It's evil until proven otherwise! Architects would do well to consider security early in the lifecycle of the design; this will return huge benefits later on, when the system doesn't need to be turned into spaghetti to fix a design flaw that could have been remedied up front by thinking about threats. Think of your design document as your plan for building the system, and your threat model as a plan for attacking the same system. Both are important when security is a feature you're looking for.
|
