An Introduction to ASP .NET 2.0 Security

An Article by Denim Group’s CTO, Dan Cornell

ASP.NET 2.0 was released last month in conjunction with Visual Studio 2005. A key goal of this release was to reduce the amount of code required for the average web application by 60 to 70 percent and consequently reduce development time, defect counts and the cost of building web-based applications.

Much of the improvement in the 2.0 release comes from reduced code required to implement security controls. With older versions, developers had to write and rewrite code for mundane security functions with every application. Code for these standard functions could account for up to 60 or 70 percent of the code for an entire application. Aside from the time and cost involved, manually writing security code meant a higher probability of error and security flaws.

Microsoft recognized this problem and accounted for it with built-in security features in ASP.NET 2.0. These features save developers time and also help the developer to write more inherently secure code. New security features include built-in platform controls for implementing Forms Authentication and authorization, multiple independent barriers to secure database access, and .NET assemblies allowing easy access to powerful Windows encryption capabilities for data protection.

Authentication and Authorization

While .NET has always provided Form Authentication capabilities to identify users attempting to log in to a secure domain, developers had to write a majority of the implementation code themselves – a tedious and time-consuming activity. With ASP.NET 2.0, Forms Authentication has been simplified with a number of built-in controls that allow developers to quickly implement authentication and authorization features and focus their attention on critical business logic instead.

These controls have extensive built-in capabilities. They have default implementations that use either Microsoft Access or Microsoft SQL Server, giving developers a high degree of flexibility out of the box. They have multiple extension points so that custom configurations can be handled with a minimum of custom code. To make building common user areas of sites easier, controls are available for logging users in, logging users out, creating new users and recovering or resetting passwords. To make building administrative interfaces easier, ASP.NET 2.0 provides controls for role management. A new web-based web.config editor makes it straightforward for developers to control settings in the web.config file – a task that has traditionally required the manual editing of XML configuration files.

Database Access

Database connection strings and other configuration information have traditionally been difficult to secure. If developers put connection strings in the code, they can be difficult to change. If developers put them in a web-based configuration file, they become less secure because the database login configuration can be exposed to external entities during attacks on the web site. ASP.NET 2.0 makes it possible to store connection strings in the primary .NET configuration file that should only be accessed by internal users with full server access. These connection strings can then be referenced by a nickname in web application code, helping to protect the actual connection strings from exposure.

Also new to ASP.NET 2.0, full sections of XML configuration files can be automatically encrypted to protect connection strings and other sensitive data. With older versions, developers had to implement encryption schemes such as this manually, making them error-prone and requiring extensive custom coding.

Data Protection

Personal privacy protection is at the forefront of many organizations’ priorities with new legislation, such as HIPPA, California Senate Bill 1386 and Sarbanes-Oxley, requiring that companies protect customer and transaction data. To help companies stay in compliance with this new legislation, ASP.NET 2.0 simplifies the process of restricting access to sensitive data with built-in, easily-accessible data encryption capabilities.

Previously developers had to write code to bridge the .NET platform and Windows’ built-in Data Protection API (DPAPI) – a powerful feature of the Windows platform allowing for straightforward encryption and decryption of sensitive data. In .NET 2.0, .NET assemblies for this function are available natively in the platform providing easy access to the Data Protection API and to powerful Windows encryption capabilities. Industry standard encryption routines such as AES are still available in the System.Security.Cryptography namespace with security and performance enhancements.

ASP .NET 2.0 Allows for More Inherently Secure Applications

ASP.NET 2.0 allows developers to focus on building valuable business logic rather than mechanical plumbing code. Instead of writing code to address the infrastructure problems in an application, developers can write code to address solutions to business problems. This added value is enhanced by the security made available to applications by the rich set of components and features provided by ASP.NET 2.0.

These security capabilities are new or greatly enhanced in version 2.0 of the platform, and it is not uncommon that bugs or vulnerabilities would exist in applications written with previous versions of the framework. Organizations with applications developed with older versions of ASP.NET, may want to consider having the security of applications assessed by developers familiar with secure design and coding techniques to determine their exposure. If vulnerabilities and insecurities are discovered, an upgrade to ASP.NET 2.0 may help to resolve certain issues. Organizations building new applications should certainly consider the ASP.NET 2.0 platform versus alternatives in order to take advantage of the increased security capabilities and decreased custom-coding requirements.

Read a technical white paper on ASP.NET 2.0 security enhancements

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.