Security

Rate It (5) Thank you for your feedback!

ASP.NET security is a huge topic and we're only scratching the surface. Let's continue to categorize in the add new content around security to make this a great resource. This is just the overview page, make sure to visit the subpages from the Table of Contents or scroll down.

Webcasts/Videos

Web Application Security with Keith Brown - In this installment of geekSpeak, security guru Keith Brown discusses how you can address security concerns in your Web applications.
Securing your Web Site with Membership and Login Controls - This video explores the new membership capabilities of ASP.NET 2.0. In addition, you will learn about role-based security, and how you can use roles to control access to your web site.
Using Code Access Security and Partial Trust with ASP.NET - Attend this webcast to discover one of the most overlooked security features of Microsoft ASP.NET, code access security (CAS).
ASP.NET: Security Tips & Tricks for ASP.NET Developers - In this webcast we’ll example several application security development patterns from the trenches that will help you build applications that are better at thwarting the bad guys.
Best Practices: A Look at Developer ASP.NET AJAX Security Mistakes - This talk will discuss and demonstrate the security pitfalls common in ASP.NET AJAX development.
Dave's Top 10 Ways to Secure Your Web Application - Level 300 - Practical best practices for writing secure ASP.NET code.

Blogs

Arno Nel's Ultimate Security List - Arno has put together an amazing list of links to resources you can use covering security, roles, membership, and the profile provider within ASP.NET. This is a great place to start.
ASP.NET 2.0 Security Training Modules - Bgold has some excellent links including labs on Input and Data Validation.
ScottGu's Blog's Security Category - Everything The Gu has ever blog about Security.
Top 5 Application Security Vulnerabilities in Web.config Files - Sanjeev with a fine list focused on web.config vulnerabilities.
Basics of Authentication - An older article, but good overview.
ASP.NET Security Forums - Engage with your fellow developers and talk security.
KB: ASP.NET Security Overview - Recently updated, this KB article is full of links and pointers to other articles that will come in handy depending on which authentication scheme you decide to use.
Introduction to the Provider Model - Much of the security model and a ASP .net 2.0 is managed by a design pattern called the Provider Model. This design pattern may be unfamiliar and this article is a good overview. You can also download the entire series as a PDF.
Use less code to secure ASP.NET applications - Usually, the less you write the less there is to break into.

Articles

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication - MS Patterns and Practices Team
This guide presents a practical, scenario-driven approach to designing and building secure ASP.NET applications for Windows 2000 and .NET Framework version 1.0. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications.
Web Service Security Guidance
Provides architectural, design, and implementation guidance for applying security to Web services by using Web Services Enhancements (WSE) 3.0 and the .NET Framework 2.0. Includes scenarios, patterns, decision matrices, and QuickStarts to help you make the most appropriate decisions based on your solution’s requirements.
Security Guidance for .NET Framework 2.0
This page provides an index to the patterns & practices Security Guidance for .NET Framework 2.0 project. You can use the guidance to improve both the security of your applications and your approach to building secure applications.
Scott Mitchell's Security Tutorial Series on ASP.NET
A new tutorial series by Scott Mitchell of 4GuysFromRolla.com on ASP.NET security, roles, and membership, in the style of his well-known Data Tutorial series.

Enjoy!

Revision number 4, Friday, February 08, 2008 2:07:03 PM by
This is not the most up to date version of this article. The most recent version can be found here.

Revision History
Article Updates
Comments

Comments

You must Login to comment.

In This Section

New Mon, Feb 4, 2008 8:00 AM by shanselman	AJAX Security AJAX adds one more wrinkle to web security. I find that videos and demonstrations help me understand subtle topics like this. Videos Security in ASP.NET AJAX Client Applications - In this webcast, we cover Microsoft ASP.NET AJAX client application security
Revision #2 Sun, Feb 10, 2008 10:58 AM by XIII	Windows card space Windows CardSpace: enables users to provide their digital identities in a familiar, secure and easy way. In the physical world we use business cards, credit cards and membership cards. Online with CardSpace we use a variety of virtual cards to identify ourselves
Revision #2 Mon, Feb 4, 2008 8:00 AM by mbanavige	Code Access Security Code Access Security is one of the least-understood but most valuable aspects of the .NET Framework. Webcasts MSDN Webcast: Using Code Access Security and Partial Trust with ASP.NET (Level 200) Blogs/Articles Code Access Security: When Role-based Security
New Mon, Feb 4, 2008 8:00 AM by shanselman	Communications Security Traffic on the wire needs to be secured as well. Usually this means SSL, but sometimes it means IPSec or certificates. How To How To: Call a Web Service Using Client Certificates from ASP.NET How To: Call a Web Service Using SSL How To: Set Up SSL on a Web
New Mon, Feb 4, 2008 8:00 AM by shanselman	Cryptography At A large part of security in any web application is keeping your secrets secret. Cryptography makes that happen. Webcasts/Videos Cryptography Webcasts on ZDNET- Not sure what MSDN Webcasts are doing over at ZDNET, but it's excellent content. MSDN Webcast
Revision #2 Mon, Feb 4, 2008 8:00 AM by siva_sm	Authentication and Authorization Authentication means figuring out who you are and Authorization means figuring out what you can do. Both are fundamental parts of the ASP.NET Security Model. An Overview of Authentication and Authorization - This is a good place to start. Samples and Quickstarts
New Mon, Feb 4, 2008 8:00 AM by shanselman	Impersonation and Delegation Sometimes you'll find it necessary to impersonate the user's identity on a thread with an ASP.NET. You may also need a delegate access the user to another machine with the larger web farm. Here's some tutorials on how to implement these more advanced techniques
Revision #8 Thu, Jul 10, 2008 5:43 PM by bmains	Input and Data Validation Garbage in, garbage out. You can avoid data cleanup tasks on the backend by avoiding bad data coming in. ASP.NET validation controls and third party validation controls help you receive the right data in the right format. In addition, the AJAX Control Toolkit
New Mon, Feb 4, 2008 8:00 AM by shanselman	SQL Server Security There's a lot of great information on SQL Server Security covering both SQL Server 2000 and 2005. Blogs/DevCenters SQL Server 2005 Security on Microsoft.com - Start here. SqlSecurity.com - Good security focused blog 10 Steps To Help Secure SQL Server 2000
Revision #2 Mon, Feb 4, 2008 8:00 AM by scott@elbandit.co.uk	Threat Modeling It's absolutely necessary if you're serious about security. Whitepapers/Books/Blogs Threat Modeling for ASP.NET (PDF) - an excellent white paper from Rüdiger Grimm and Henrik Eichstädt from the University of Kent Threat Modeling book from MSPress
Revision #3 Mon, Feb 4, 2008 8:00 AM by scott@elbandit.co.uk	Security Guidelines and Recommendations There's a great deal of good prescriptive security guidance out there in the form of whitepapers and books. Whitepapers patterns & practices Security Guidance for .NET Framework 2.0 patterns & practices ASP.NET 2.0 Security Guidance patterns &

Shortcuts

Top Wiki Contributors

(last 30 days)

Advertise Here

Advertise on ASP.NET

About this Site