Scott Norberg - Advanced ASP.NET Core 3 Security: Understanding Hacks, Attacks, and Vulnerabilities to Secure Your Website

Any source code or other supplementary material referenced by the author in this book is available to readers on GitHub via the books product page, located at www.apress.com/9781484260166 . For more detailed information, please visit http://www.apress.com/source-code .

A lot of resources exist if you want to learn how to use the security features built into ASP.NET Core. Features like checking for authorization, Cross-Site Request Forgery (CSRF) prevention, and Cross-Site Scripting (XSS) prevention are either well documented or hard to get wrong. But what if you need to secure your system beyond what comes with the default implementation? If you need to encrypt data, how do you choose an algorithm and store your keys? If you need to make changes to the default login functionality to add password history and IP address verification, how would you go about doing so? How would you implement PCI- or HIPAA-compliant logs?

Perhaps most importantly, what else do you need to know to be sure your website is secure?

This book will certainly cover the former concepts, i.e., it will cover best practices with ASP.NET Core security that you can find elsewhere. But the true value of this book is to provide you the information you wont find in such sources. In addition to explaining security-related features available in the framework, it will cover security-related topics not covered often in development textbooks and training, sometimes digging deep into the ASP.NET Core source code explaining how something works (or how to fix a problem).

In short, this is meant to be a book about web security that just happens to use ASP.NET Core as its framework, not a book about ASP.NET Core that just happens to cover security.

If youre a software developer who has some experience creating websites in some flavor of ASP.NET and you want to know more about making your website secure from hackers, you should find this book useful. You should already know the basics of web technologies like HTML, JavaScript, and CSS, how to create a website, and how to read and write C#. If you are brand new to web development, though, you may find that some of the concepts are too in depth for you, so you should consider reading some books on website development before tackling advanced security.

You do not need to have much previous knowledge of security concepts, even those that are often covered under other materials that attempt to teach you ASP.NET Core. In order to ensure everyone has a similar understanding of security, this book starts by going over general concepts from a security perspective, then going over web-related security concepts, and then finally applying those concepts directly to ASP.NET Core.

If your background is in security and you are working with a development team that uses ASP.NET Core at least part of the time, you may find it useful to read the book to understand what attacks are easy to prevent in the framework as it is intended to be used and which are hard.

This book is intended to be read in order, and each chapter builds on the previous ones. It starts with general concepts, applies them to real-world problems, and then finishes by diving into web-specific security concepts that may be new material to you as a software developer.

ChapterIntroducing ASP.NET Core

Chapters covers much of what makes each version of ASP.NET Core, Razor Pages and MVC, different from its predecessors, ASP.NET Web Forms and ASP.NET MVC. It focuses on areas that you will need to know about in creating a secure website, such as knowing how to set up services properly and how to replace them as needed.

ChapterGeneral Security Concepts

This chapter covers concepts that full-time security professionals worry about that dont get covered in most programming courses or textbooks but are important to know for excellent application development security. I will start by describing what security is (beyond just stopping hackers) so we have a baseline for discussions and move into concepts that will help you design more secure software.

ChapterCryptography

Cryptography is an extremely important concept in building secure systems but is not covered in depth in most programming textbooks and courses. At least in my experience, that results in an uneven knowledge of how to properly apply cryptography in software. You will learn about the differences between symmetric and asymmetric cryptography, what hashing is and where its useful, and how to securely store the keys necessary to keep your data secure.

ChapterWeb Security Concepts

After discussing security in general, it will be time to cover security-related topics specific to web. Most of the topics in this chapter should look familiar to you as a web developer, but the goal is to dive deeper into each topic than is needed to program most websites in order to better understand where your website might be vulnerable. This chapter also introduces Burp Suite, a popular software product used by penetration testers around the world, which you can use to perform basic penetration tests on your own.