DevSmart

Making a Build

A review of Vincent Maraia's book on the best practices for Microsoft's software configuration.

The new buzz in Web development is AJAX (Asynchronous JavaScript and XML) -- an abstract collection of Web technologies that enables developers to create richer, more user-friendly sites. AJAX is cool. But it can also be a portal to pernicious security vulnerabilities. The task of identifying and thwarting these security threats is concisely addressed in Jason Schmitt's "Secure ASP.NET AJAX Development."

Written by a Web developer for Web developers (Schmitt is group product manager for SPI Dynamics-a Web application security assessment and testing firm), this book is served up as a Digital Short Cut. A 93-page PDF document from a series that, according to the publisher, "... is tightly focused on a specific technology or technical problem," and "designed specifically for busy technical professionals like you." It delivers on both counts.

More Than Microsoft
As the title suggests, the book is geared toward securing Web 2.0 applications running Microsoft ASP.NET AJAX (formerly code-named "Atlas"; version 1 was released last month). However, many of the concerns are relevant to any developer using an AJAX-enabled approach. Divided into four sections, Schmitt begins with a nice overview of AJAX concepts, script libraries (Yahoo! User Interface Library, the Dojo JavaScript toolkit and the Prototype JavaScript Framework), code generators (Google Web Toolkit) and application frameworks, including a good explanation of the history of Atlas and its evolution into ASP.NET AJAX. His explanations are concise and illustrated where appropriate.

Highlights
  • AJAX implementations and frameworks
  • Microsoft Atlas and AJAX
  • Risks introduced by AJAX
  • Securing ASP.NET AJAX
  • ASP.NET AJAX security testing

    Addison-Wesley
    (www.awprofessional.com)
    ISBN-10: 0-321-49810-0
    ISBN-13: 978-0-321-49810-6
    He then devotes his attention to detailing the security pitfalls of AJAX and how the introduction of AJAX into even a previously secure Web application can result in dire security risks for both the server and client. Tactics such as cross-site scripting, cross-site request forgery, SQL/XML injection and XML bombing are scary. Coupled with the advent of cross-domain requests on "mashup" sites that aggregate content and the ever-growing tide of Service-Oriented Architectures (SOAs) that rely on AJAX, all of these approaches expose security risks that should make any Web developer tremble.

    In the third section, Schmitt offers practical principles for securing your ASP.NET AJAX Web application from the very threats described in the previous section. This is the heart of the book. Each principle is described and further clarified through short examples of C# code. This is clearly targeted at those who develop on the ASP.NET platform, and he offers some nifty ways to leverage the security features of ASP.NET for AJAX. A fair level of programming expertise is assumed and the approach is not so much how-to-do as a what-you-should-do.

    Last, there's a brief but invaluable section on ASP.NET AJAX security testing, replete with testing tools for threat modeling, proxies and code analysis. There's also a chart summarizing each security principle and the protection it provides, plus a handy security check list-resources that should be part of any savvy Web developer's arsenal.

    Schmitt writes with a direct, no-nonsense voice: "No matter how you try to obscure your markup or client-side scripting, it is absolutely vulnerable to reverse engineering and manipulation-without exception." He can also drive home some oft over-looked facts about AJAX. To wit, "... your users have to have JavaScript enabled in their browsers for your AJAX application to work."

    Digital Downside
    There are a few grumbles with the PDF. One of the nice features of the format is embedded links. One click whets your curiosity. No laborious replication of the printed link into the browser's address bar is required. This e-book makes nice use of this feature in the URLs of the notes. However, there are several places in the text where a hyperlink would be welcome. For example, under both "Security Testing Tools" and "Code Analysis Tools" the text offers up several resources, all unlinked. Sure, a quick copy-and-paste of the names into a search engine will get you to the tool, but just as quick is the PDF's caveat: "You may copy 8 [7, 6, 5 ...] selections in this document in the next 30 days. Would you like to continue?" Very annoying, especially if you want to copy some of the code snippets, too.

    This limit on copies is only evident in the PDF purchased from the Addison-Wesley Web site. If you download it from Safari Books Online you can cut-and-paste at will. However, the book has a portrait format, whereas the one from the publisher's site is in much more readable landscape format. At present it is not available from Amazon.com.

    These are minor annoyances. It is the content that matters. So, for the price of a couple of venti lattes, download this book. It's an interesting read and, it offers practical advice on how to make your ASP.NET AJAX Web applications more secure.

    About the Author

    Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.

    comments powered by Disqus

    Featured

    • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

      The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

    • Diving Deep into .NET MAUI

      Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

    • Copilot AI Boosts Abound in New VS Code v1.96

      Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

    • AdaBoost Regression Using C#

      Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

    • Versioning and Documenting ASP.NET Core Services

      Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

    Subscribe on YouTube