Making a Build
A review of Vincent Maraia's book on the best practices for Microsoft's software configuration.
Written by a Web developer for Web developers (Schmitt is group product manager for SPI Dynamics-a Web application security assessment and testing firm), this book is served up as a Digital Short Cut. A 93-page PDF document from a series that, according to the publisher, "... is tightly focused on a specific technology or technical problem," and "designed specifically for busy technical professionals like you." It delivers on both counts.
More Than Microsoft
||AJAX implementations and frameworks
||Microsoft Atlas and AJAX
||Risks introduced by AJAX
|| Securing ASP.NET AJAX
|| ASP.NET AJAX security testing
He then devotes his attention to detailing the security pitfalls of AJAX and how the introduction of AJAX into even a previously secure Web application can result in dire security risks for both the server and client. Tactics such as cross-site scripting, cross-site request forgery, SQL/XML injection and XML bombing are scary. Coupled with the advent of cross-domain requests on "mashup" sites that aggregate content and the ever-growing tide of Service-Oriented Architectures (SOAs) that rely on AJAX, all of these approaches expose security risks that should make any Web developer tremble.
In the third section, Schmitt offers practical principles for securing your ASP.NET AJAX Web application from the very threats described in the previous section. This is the heart of the book. Each principle is described and further clarified through short examples of C# code. This is clearly targeted at those who develop on the ASP.NET platform, and he offers some nifty ways to leverage the security features of ASP.NET for AJAX. A fair level of programming expertise is assumed and the approach is not so much how-to-do as a what-you-should-do.
Last, there's a brief but invaluable section on ASP.NET AJAX security testing, replete with testing tools for threat modeling, proxies and code analysis. There's also a chart summarizing each security principle and the protection it provides, plus a handy security check list-resources that should be part of any savvy Web developer's arsenal.
There are a few grumbles with the PDF. One of the nice features of the format is embedded links. One click whets your curiosity. No
laborious replication of the printed link into the browser's address bar is required. This e-book makes nice use of this feature in the URLs of the notes. However, there are several places in the text where a hyperlink would be welcome. For example, under both "Security Testing Tools" and "Code Analysis Tools" the text offers up several resources, all unlinked. Sure, a quick copy-and-paste of the names into a search engine will get you to the tool, but just as quick is the PDF's caveat: "You may copy 8 [7, 6, 5 ...] selections in this document in the next 30 days. Would you like to continue?" Very annoying, especially if you want to copy some of the code snippets, too.
This limit on copies is only evident in the PDF purchased from the Addison-Wesley Web site. If you download it from Safari Books Online you can cut-and-paste at will. However, the book has a portrait format, whereas the one from the publisher's site is in much more readable landscape format. At present it
is not available from Amazon.com.
These are minor annoyances. It is the content that matters. So, for the price of a couple of venti lattes, download this book. It's an interesting read and, it offers practical advice on how to make your ASP.NET AJAX Web applications more secure.
Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.