BOSTON -- ASP.NET developers devote much time to writing code that prevents malicious users from accessing their applications. However, not enough time is spent monitoring the activity of such users.
"How do I know if someone is continually trying to log in with an incorrect password? How do I know if someone is continually trying a SQL injection?" Robert Hurlbut asked during a session he led at the recent VSLive conference in Boston. "We do a lot of preventing but not enough, in my opinion, detection."
Hurlbut, president of Hurlbut Consulting, urged ASP.NET developers to get into the habit of instrumenting their applications. This means adding management events, performance counters and trace information. On top of monitoring security, Hurlbut said this helps illustrate an application's performance and availability.
Much of this can be done within ASP.NET 2.0's Health Monitoring Framework. Implemented through Web Events, this framework instruments for both pre-defined and customized events related to security, performance, failures and other anomalies, Hurlbut said.
Default security and audit Web events look for problems such as authentication failures, invalid view states, unauthorized access attempts and runtime errors. Non-default events include forma authentication and application life time events, which check for startup and shutdown denial of service attacks.
Developers can also create custom instrumenting events. Hurlbut cautioned the audience against writing events that save sensitive data like credit card numbers or passwords. "Be very careful and diligent," he said. "You may not be the only person who has an opportunity to view that log file. Don't take that chance."
Along with instrumenting, membership management gives ASP.NET developers tools for protecting their applications. The seven out-of-the-box membership controls in ASP.NET 2.0 provide a mechanism for creating an application's users, displaying log-in information and showing different content to different types of users.
At VSLive, Chris Kinsman, chief architect at Vertafore, showed developers how to use and deploy these controls and how they can be configured for greater security.
The PasswordRecovery control, for example, can present users a "security question" if they forget their password. On the other hand, if a one-way hash has been established for storing and retrieving passwords, then this control will automatically reset a user's password, Kinsman said.
In addition, the CreateUserWizard can be set up to either automatically generate passwords or to enforce password complexity. In the latter case, Kinsman said, developers should go to their machine.config file, grab the expression that enforces the password complexity algorithm and enable it for the Web application in question.