وبلاگ بلیان

Advanced ASP.NET Core 8 Security: Move Beyond ASP.NET Documentation and Learn Real Security, 2nd Edition

جلد کتاب Advanced ASP.NET Core 8 Security: Move Beyond ASP.NET Documentation and Learn Real Security, 2nd Edition

معرفی کتاب «Advanced ASP.NET Core 8 Security: Move Beyond ASP.NET Documentation and Learn Real Security, 2nd Edition» نوشتهٔ Athanasios Papoulis، S. Unnikrishna Pillai و SCOTT. NORBERG، منتشرشده توسط نشر Apress L. P. در سال 2024. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.

Most .NET developers do not incorporate security best practices when creating websites. The problem? Even if you use all of the best practices that the ASP.NET team recommends, you are still falling short in several key areas due to issues within the framework itself. And most developers don’t use all of the best practices that are recommended. If you are interested in truly top-notch security, available sources don’t give you the information you need. Most blogs and other books simply state how to use the configurations within ASP.NET, but do not teach you security as understood by security professionals. Online code samples aren't much help because they are usually written by developers who aren’t incorporating security practices. This book solves those issues by teaching you security first, going over software best practices as understood by security professionals, not developers. Then it teaches you how security is implemented in ASP.NET. With that foundation, it dives into specific security-related functionality and discusses how to improve upon the default functionality with working code samples. And you will learn how security professionals build software security programs so you can continue building software security best practices into your own Secure Software Development Life Cycle (SSDLC). What You’ll Learn Know how both attackers and professional defenders approach web security Establish a baseline of security for understanding how to design more secure software Discern which attacks are easy to prevent, and which are more challenging, in ASP.NET Dig into ASP.NET source code to understand how the security services work Know how the new logging system in ASP.NET falls short of security needs Incorporate security into your software development process Who This Book Is For Software developers who have experience creating websites in ASP.NET and want to know how to make their websites secure from hackers and security professionals who work with a development team that uses ASP.NET. To get the most out of this book, you should already have a basic understanding of web programming and ASP.NET, including creating new projects, creating pages, and using JavaScript. Topics That Are New to This Edition This edition has been updated with the following changes Best practices and code samples updated to reflect security-related changes in ASP.NET 8 Improved examples, including a fully-functional website incorporating security suggestions Best practices for securely using Large Language Models (LLMs) and AI Expansions and clarifications throughout Table of Contents About the Author About the Technical Reviewer Acknowledgments Introduction Chapter 1: Intro to Security What Is Security? The CIA Triad Confidentiality Integrity Nonrepudiation Availability Setting Priorities Term Definitions Vulnerability Threat Risk Exploit The Anatomy of an Attack Reconnaissance Penetrate Expand Hide Evidence Catching Attackers Detecting Possible Criminal Activity Detection and Privacy Issues Honeypots Enticement vs. Entrapment Types of Attacks Social Engineering Attacks Phishing and Spear-Phishing Pretexting Baiting Quid pro quo Reverse Social Engineering Brute Force Attacks Machine-in-the-Middle (MitM) Attacks Replay Attacks Attack Chaining Ransomware Primary vs. Compensating Controls Defense in Depth Zero Trust Organizations to Know International Organization for Standardization (ISO) National Institute of Standards and Technology (NIST) Standards and Regulations to Know PCI DSS (Payment Card Industry Data Security Standard) HIPAA (Health Insurance Portability and Accountability Act) GDPR (General Data Protection Regulation) Security vs. Compliance When Are You Secure Enough? Vulnerability Risk Scoring Common Vulnerability Scoring System (CVSS) Exploit Prediction Scoring System (EPSS) Summary Chapter 2: Software Security Overview Code Sourcing Third-Party Components Software Bill of Materials (SBOM) Zero-Day Attacks Example Code Online Secrets and Source Control Threat Modeling Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Authentication and Passwords Username/Password Forms Can Be Easy to Bypass Too Many Passwords Are Easy to Guess Credential Stuffing Attacks Multi-Factor Authentication Authorization Types of Access Control When Are You Secure Enough? Finding Sensitive Information User Experience and Security Other Security Concepts Security by Obscurity Secure by Default Fail Open vs. Fail Closed Summary Chapter 3: Web Security Making a Connection HTTPS, SSL, and TLS Connection Process Anatomy of a Request Anatomy of a Response Response Codes 1XX – Informational 100 Continue 101 Switching Protocols 2XX – Success 200 OK 3XX – Redirection 301 Moved Permanently 302 Found 303 See Other 307: Temporary Redirect 4XX – Client Errors 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 405 Method Not Allowed 5XX – Server Errors 500 Internal Server Error 502 Bad Gateway 503 Service Unavailable Headers Default ASP.NET Headers Cache-Control, Pragma, and Expires Server Set-Cookie Security Headers Easily Configured in ASP.NET Strict-Transport-Security Cache-Control Cross-Origin Resource Sharing (CORS) Security Headers Not in ASP.NET by Default X-Content-Type-Options X-Frame-Options X-XSS-Protection Content-Security-Policy Cross-Request Data Storage Cookies Cookie Scoping path samesite httponly Session Storage Hidden Fields HTML5 Storage Cross-Request Data Storage Summary Insecure Direct Object References Web Sockets WebAssembly (Wasm) Open Worldwide Application Security Project (OWASP) OWASP Top Ten Web Application Security Risks A01:2021-Broken Access Control A02:2021-Cryptographic Failures A03:2021-Injection A04:2021-Insecure Design A05:2021-Security Misconfiguration A06:2021-Vulnerable and Outdated Components A07:2021-Identification and Authentication Failures A08:2021-Software and Data Integrity Failures A09:2021-Security Logging and Monitoring Failures A10:2021-Server-Side Request Forgery How to Use the Top Ten Software Assurance Maturity Model (SAMM) Application Security Verification Standard (ASVS) OWASP Cheat Sheets Juice Shop Summary Chapter 4: Thinking Like a Hacker Burp Suite SQL Injection Union-Based Error-Based Boolean-based Blind Time-Based Blind Second-Order SQL Injection Summary Cross-Site Scripting (XSS) Bypassing XSS Defenses Bypassing Script Tag Filtering Img Tags, Iframes, and Other Elements Attribute-Based Attacks Hijacking DOM Manipulation JavaScript Framework Injection Third-Party Libraries Consequences of XSS Other Injection Types Cross-Site Request Forgery (CSRF) Bypassing Anti-CSRF Defenses Operating System Issues Directory Traversal Remote and Local File Inclusion OS Command Injection File Uploads and File Management Other Web Attacks Timing-Based Attacks Clickjacking Unvalidated Redirects Session Hijacking Mass Assignment/Overposting Value Shadowing XSS and Value Shadowing Server-Side Request Forgery (SSRF) Security Issues Mostly Fixed in ASP.NET Verb Tampering Response Splitting Parameter Pollution Business Logic Abuse Summary Chapter 5: Introduction to ASP.NET Core Security Middleware and Services Deeper Dive into Services Accessing Services How ASP.NET Handles Dependencies Configuration Filters Model Binding Binding Sources MVC vs. Razor Pages ASP.NET and APIs Kestrel and IIS Summary Chapter 6: Cryptography Symmetric Encryption Symmetric Encryption Types Symmetric Encryption Algorithms DES and Triple DES AES and Rijndael Problems with Block Encryption Symmetric Encryption in .NET Key Generation Creating an Encryption Service Symmetric Encryption Using Bouncy Castle Hashing Uses for Hashing Hash Salts Keyed Hashes (HMAC) Hash Algorithms MD5 SHA (or SHA-1) SHA-2 SHA-3 PBKDF2, bcrypt, and scrypt Hashing and Searches Hashing in .NET SHA-3 Hashing with Bouncy Castle Creating a Hashing .NET Service Asymmetric Encryption Digital Signatures Asymmetric Encryption in .NET Key Storage Don’t Create Your Own Algorithms Common Mistakes with Encryption Summary Chapter 7: Processing User Input Preventing XSS Encoding Encoding and JavaScript Frameworks CSP Headers Ads, Trackers, and XSS Validation Attributes Validating Your Models Validating File Uploads User Input and Retrieving Files Allow Lists and Deny Lists CSRF Protection ASP.NET CSRF Protection Deeper Dive Extending Anti-CSRF Checks with IAntiforgeryAdditional DataProvider CSRF and Unauthenticated Forms When CSRF Tokens Aren’t Enough Mass Assignment Mass Assignment and Scaffolded Code Preventing Spam Preventing SSRF Business Logic Abuse Summary Chapter 8: Data Access and Storage Before Entity Framework ADO.NET Stored Procedures and SQL Injection Third-Party ORMs Digging into the Entity Framework Running Ad Hoc Queries Principle of Least Privilege and Deploying Changes Simplifying Filtering Filtering Using Hard-Coded Subqueries Filtering Using Expressions Easy Data Conversion with the ValueConverter ValueConverters and Detecting Tampering Other Relational Databases Secure Database Design Use Multiple Connections Use Schemas Don’t Store Secrets with Data Avoid Using Built-In Database Encryption Test Database Backups Non-SQL Data Sources Summary Chapter 9: Authentication and Authorization Authentication Functionality Functionality Enabled Out of the Box Claim-Based Security Easy Authorization Checking Easy Multi-Factor Authentication Functionality Requiring Configuration Brute Force Password Attacks Protection Turning On User Lockouts Password Strength Password Hash Strength Authentication Token Expiration Missing Functionality Lack of Protection Against Username Leakage Stopping Credential Stuffing Protecting Login-Related PII Important Authentication Services SignInManager UserManager IUserStore IOptions Using External Providers Setting Up Something More Secure Upgrading the Hashing Algorithm Protecting Usernames Preventing Information Leakage Making Usernames Case Sensitive Protecting Against Credential Stuffing Fixing Authentication Token Expiration Changing the Default Login Page Modernizing Password Complexity Requirements Using Session for Authentication Authorization in ASP.NET Role-Based Authorization Using Policies RequireRole RequireClaim RequireAssertion RequireAuthenticatedUser RequireUserName Policies for MAC or DAC Access Controls Using IAuthorizationRequirement Using IActionFilter Summary Chapter 10: Advanced Web Security APIs and Microservices Choosing an Architecture Maximizing Availability Authentication and Authorization JWTs JWTs in .NET Server-to-Server Authentication Basic Authentication Tokens OAuth 2.0 Digital Signatures Input Validation Data Access Mass Assignment Information Leakage Swagger Files JavaScript Secrets and JavaScript JavaScript and XSS JavaScript and Input Validation Using JavaScript Frameworks CSRF New Technologies NoSQL Databases WebAssembly/Blazor Docker and Kubernetes Chatbots and AI Output Is Not Reliable Privacy Is Not Guaranteed Garbage In, Garbage Out Prompt Injection Summary Chapter 11: Logging and Error Handling New Logging in ASP.NET Core Where ASP.NET Core Logging Falls Short Logging Request Information Logging and Compliance Building a Better System Why Are We Logging Potential Security Events? Better Logging in Action Security Logging for Framework Events PII and Logging When Not to Log for Security Using Logging in Your Active Defenses Blocking Credential Stuffing with Logging Honeypots Log Injections Proper Error Handling Exception Handling via Middleware Importance of Catching Errors Summary Chapter 12: Setup and Configuration Setting Up Your Environment Web Server Security Keep Servers Separated Server Separation and Microservices A Note About Separation of Duties Storing Secrets Setting Up Headers HSTS Allow Only TLS 1.2 and TLS 1.3 Setting Up HSTS CORS CSP Cookies Setting Up Page-Specific Headers Third-Party Components Monitoring Vulnerabilities Deploying Your Code Secure Your Test Environment Summary Chapter 13: Secure Software Development Lifecycle (SSDLC) Traditional Security Tools Dynamic Application Security Testing (DAST) DAST Scanner Strengths DAST Scanner Weaknesses Differences Between DAST Scanners Static Application Security Testing (SAST) Final Notes About Free SAST Scanners Commercial SAST Scanners SAST Scanning and Roslyn Software Composition Analysis (SCA) Interactive Application Security Testing (IAST) Kali Linux Other Security Tools Application Security Posture Management (ASPM) Web Application Firewall (WAF) Runtime Application Self-Protection (RASP) Secret Scanning Integrating Tools into Your CI/CD Process CI/CD with DAST Scanners CI/CD with SAST scanners CI/CD with IAST scanners Catching Problems Manually Code Reviews and Refactoring Hiring a Penetration Tester Reconnaissance Scanning and Enumeration Gaining Access Maintaining Access Covering Tracks Inventory Management SBOM When to Fix Problems Getting Buy-In for Fixing Problems Learning More Summary Index
دانلود کتاب Advanced ASP.NET Core 8 Security: Move Beyond ASP.NET Documentation and Learn Real Security, 2nd Edition