Getting Started with Security in .NET and Windows Azure
I had someone ask me recently about how to improve the security awareness of their organization. This article is meant to serve as a starting point when developing applications using the .NET Framework and Windows Azure and is in no way intended to be an exhaustive list.
My personal feeling on the subject is that it is virtually impossible for any single developer (or development team) to be 100% security compliant when developing a product. The technical security landscape simply moves too quickly to reasonably expect developers to be aware of all security threats that currently exist.
That being said, developers and managers should keep themselves up-to-speed as best they can on the most common best practices and techniques in writing secure software in addition to implementing the most up-to-date versions of their development frameworks. After that, a solid security analytics tool can be used to flesh out any security risks that were introduced due to human error or poor development practices.
The following links should help build a solid understanding of the current trends and best-practices when developing on the Microsoft stack.
I think this is the single most important article to read in the list. It contains practical insight and advice that can be used today on any software project no matter what stage it is in. The basic idea is to operate with the understanding that you can’t (and shouldn’t) trust your users to behave themselves when using your system. This method of thinking is the foundation to all defensive programming, it allows developers to focus on the implications of programming and design decisions that are made in areas of the system that can potentially be attacked.
The security tips outlined in this article work in the same way as locking your doors every time you leave your house does, it provides just enough security to keep honest people honest and to motivate convenience criminals to look elsewhere. However, if someone really wants to break in when you’re gone, they will, a deadbolt won’t be enough to deter them.
The Security Development Lifecycle provides valuable insight on how to build security into your project form the very beginning stages all the way through to deployment. The ideas here are focused more on the organizational level and would be difficult to implement on an existing project. If you are interested in exploring this further, the SDL website has several training materials as well as a free utility that can help a software team get started with the SDL.
The .NET Framework provides several different types of security models and features to address the various needs of any given application. This article provides a conceptual overview of the .NET Framework’s most common security features and helps build a solid security-minded foundation.
On a traditional on-premise software solution, your entire product can reside on a single server behind a firewall. This drastically simplifies the implementation and management of security related requirements.
In the cloud, however, it is virtually impossible for your entire application to live in a single virtual-instance. Cloud based solutions inherently expose more low-level pieces of your application to the outside world (surface area) due to the increased number of end-points required to maintain a complete software system. That being said, additional security considerations should be made when developing software that will be hosted in the cloud.
Penetration Testing tools simulate various attacks on a software system from both inside and outside a given network. During the test, security issues can be uncovered and it is the responsibility of the organization to respond accordingly. Penetration tests should be run on a continuous basis to ensure the timely discovery of new security vulnerabilities.
There are companies that will perform penetration tests for you, or you can conduct them yourself using one of several tools available.
Static analysis tools crawl through your code and attempt to uncover security vulnerabilities that were inadvertently (or otherwise) introduced during development. These tools are extremely valuable because they can uncover potential issues early on in the development of a software system. This allows vulnerabilities to be removed before the finished product is available to the public. Preventative development can save a great deal of headache and embarrassment in the future.
FxCop is the most commonly used static code analysis tool for .NET. In addition to security profiling, FxCop will also perform various other types of static analysis on a codebase to ensure the software is of the highest quality possible.
Security is difficult and scary. No matter how much planning and preperation you put into the security of your system, you will invariably end up missing something. The information and links above are meant to be tools in your crusade to develop secure systems that your users can trust.
I hope these links provide you some helpful and practical information and if you feel like this list can be improved feel free to let me know.