VSLive: Membership and security in ASP.NET apps

By Brian Eastwood, Site Editor 30 Oct 2006 | SearchVB.com

.NET Essentials Channel Digg This!     StumbleUpon     Del.icio.us

We do a lot of preventing but not enough, in my opinion, detection. Robert Hurlbut president, Hurlbut Consulting

"How do I know if someone is continually trying to log in with an incorrect password? How do I know if someone is continually trying a SQL injection?" Robert Hurlbut asked during a session he led at the recent VSLive conference in Boston. "We do a lot of preventing but not enough, in my opinion, detection."

Hurlbut, president of Hurlbut Consulting, urged ASP.NET developers to get into the habit of instrumenting their applications. This means adding management events, performance counters and trace information. On top of monitoring security, Hurlbut said this helps illustrate an application's performance and availability.

Much of this can be done within ASP.NET 2.0's Health Monitoring Framework. Implemented through Web Events, this framework instruments for both pre-defined and customized events related to security, performance, failures and other anomalies, Hurlbut said.

Default security and audit Web events look for problems such as authentication failures, invalid view states, unauthorized access attempts and runtime errors. Non-default events include forma authentication and application life time events, which check for startup and shutdown denial of service attacks.

Developers can also create custom instrumenting events. Hurlbut cautioned the audience against writing events that save sensitive data like credit card numbers or passwords. "Be very careful and diligent," he said. "You may not be the only person who has an opportunity to view that log file. Don't take that chance."

Along with instrumenting, membership management gives ASP.NET developers tools for protecting their applications. The seven out-of-the-box membership controls in ASP.NET 2.0 provide a mechanism for creating an application's users, displaying log-in information and showing different content to different types of users.

At VSLive, Chris Kinsman, chief architect at Vertafore, showed developers how to use and deploy these controls and how they can be configured for greater security.

More on ASP.NET security Best practice: Enforcing password complexity Expert advice on .NET security from SearchAppSecurity.com

The PasswordRecovery control, for example, can present users a "security question" if they forget their password. On the other hand, if a one-way hash has been established for storing and retrieving passwords, then this control will automatically reset a user's password, Kinsman said.

In addition, the CreateUserWizard can be set up to either automatically generate passwords or to enforce password complexity. In the latter case, Kinsman said, developers should go to their machine.config file, grab the expression that enforces the password complexity algorithm and enable it for the Web application in question.

Return to "Special Report from VSLive! Boston"

Tags: .NET Framework Web application security,  ASP.NET development best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT .NET Framework Web application security Security interoperability with .NET/WSE and WebLogic Workshop 8.1 On ASP.NET AJAX testing and debugging tools Ajax security holes and how to fill them Need Web services security? Dig into WSE 3.0 for Microsoft .NET DevPartner SecurityChecker 2.5 does just that for ASP.NET sites Test and debug an ASP.NET app: Chp. 4 of Murach's ASP.NET 2.0 Web Programming with C# 2005 Compuware updates ASP.NET security tool Learning Guide: Top 10 most critical Web application security vulnerabilities How to build secure ASP.NET applications How to build secure ASP.NET applications ASP.NET development best practices Introduction to ASP.NET's Model View Controller (MVC) Design Pattern Silverlight, Ajax components require different approach to UI LINQ Learning Guide: LINQ and Web applications VB code download home page VB code: File manipulation downloads Localization practices for .NET 2.0: It's still about the architecture Creating custom ASP.NET 2.0 profile providers .NET development in the trenches Microsoft developers balancing age-old issues, barrage of new technology SearchVB.com's Podcast Page

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 136 browser colors with names  (SearchWinDevelopment.com) ASP.NET  (SearchWinDevelopment.com) browser  (SearchWinDevelopment.com) Document Object Model  (SearchWinDevelopment.com) domain name  (SearchWinDevelopment.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary