News Stay informed about the latest enterprise technology news and product updates.

VSLive: Membership and security in ASP.NET apps

The ASP.NET track at the recent VSLive show offered developers much advice on keeping malicious users out of their Web applications. This work extends beyond preventive code to encompass testing, detection and management.

BOSTON -- ASP.NET developers devote much time to writing code that prevents malicious users from accessing their applications. However, not enough time is spent monitoring the activity of such users.

We do a lot of preventing but not enough, in my opinion, detection.
Robert Hurlbut
presidentHurlbut Consulting

"How do I know if someone is continually trying to log in with an incorrect password? How do I know if someone is continually trying a SQL injection?" Robert Hurlbut asked during a session he led at the recent VSLive conference in Boston. "We do a lot of preventing but not enough, in my opinion, detection."

Hurlbut, president of Hurlbut Consulting, urged ASP.NET developers to get into the habit of instrumenting their applications. This means adding management events, performance counters and trace information. On top of monitoring security, Hurlbut said this helps illustrate an application's performance and availability.

Much of this can be done within ASP.NET 2.0's Health Monitoring Framework. Implemented through Web Events, this framework instruments for both pre-defined and customized events related to security, performance, failures and other anomalies, Hurlbut said.

Default security and audit Web events look for problems such as authentication failures, invalid view states, unauthorized access attempts and runtime errors. Non-default events include forma authentication and application life time events, which check for startup and shutdown denial of service attacks.

Developers can also create custom instrumenting events. Hurlbut cautioned the audience against writing events that save sensitive data like credit card numbers or passwords. "Be very careful and diligent," he said. "You may not be the only person who has an opportunity to view that log file. Don't take that chance."

Along with instrumenting, membership management gives ASP.NET developers tools for protecting their applications. The seven out-of-the-box membership controls in ASP.NET 2.0 provide a mechanism for creating an application's users, displaying log-in information and showing different content to different types of users.

At VSLive, Chris Kinsman, chief architect at Vertafore, showed developers how to use and deploy these controls and how they can be configured for greater security.

More on ASP.NET security
Best practice: Enforcing password complexity

Expert advice on .NET security from

The PasswordRecovery control, for example, can present users a "security question" if they forget their password. On the other hand, if a one-way hash has been established for storing and retrieving passwords, then this control will automatically reset a user's password, Kinsman said.

In addition, the CreateUserWizard can be set up to either automatically generate passwords or to enforce password complexity. In the latter case, Kinsman said, developers should go to their machine.config file, grab the expression that enforces the password complexity algorithm and enable it for the Web application in question.

  • Return to "Special Report from VSLive! Boston"
  • Dig Deeper on .NET Framework Web application security

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.