Q&A with Brock Allen: Top Tips for Securing ASP.NET Core

ASP.NET Core brings many cutting-edge approaches to building Web applications, with updates to the security architecture being especially important in the modern framework.

To help developers get up to speed on the main components in ASP.NET Core for securing Web applications and Web APIs, security expert Brock Allen will present a session titled "Modern Security Architecture for ASP.NET Core" at the September 17-20 Visual Studio Live! conference in Chicago.

To share more expert security insights from Allen in advance of the conference, we recently quizzed him about his top tips for securing ASP.NET Core, including his No. 1 top architecture tip and the worst thing any developer can do to make ASP.NET Core insecure.

What are the top challenges of securing ASP.NET Core (being that it's cross-platform and open source) vs. ASP.NET?
It's actually a pleasure to build security solutions in ASP.NET Core as compared to ASP.NET. The main reason is that it's a much more modern platform, and thus it's positioned to accommodate modern security design patterns. The older ASP.NET framework did not really have as many investments in modern security, so if you do need to layer modern security on those older applications, then they often require additional and specialized effort to ensure they're protected properly.

Is there anything about it being open source and cross platform that makes it easier to secure in an enterprise vs. ASP.NET?
Perhaps not an aspect of it being open source, but the release cadence that the ASP.NET Core team is taking is making it a challenge for enterprises to keep up with the latest and greatest features and changes being introduced into ASP.NET Core. Obviously, the intent of these frequent releases and changes is to improve the product, but enterprises often have a hard time keeping up. For example, in the brief history of ASP.NET Core, the authentication system went through a complete overhaul from version 1 to version 2.

What features of ASP.NET Core help ensure middleware authentication will work well?
As mentioned in the previous question, the authentication system went through an overhaul in ASP.NET Core 2. This rework allowed for a more flexible (albeit more complicated) architecture. Basically, prior to ASP.NET Core 2 there were separate middlewares for each type of authentication (cookies, Google, Facebook, OpenID Connect, JWT bearer and so on), and they didn't coordinate well with one another. In ASP.NET Core 2, the system was reworked to only have a single authentication middleware, and it coordinates the handlers that perform the specific types of authentication (cookies, Google, OpenID Connect and so on). Perhaps the discussion is a bit pedantic, but all in all, it is a better design.

What is your No. 1 top architecture tip for securing ASP.NET Core?
Look into OpenID Connect and OAuth2 -- they are the fundamental building blocks of modern application security. They enable single sign-on and allow all modern application types to securely call Web APIs. You should be building your security architecture around the security patterns that these protocols enable. It's how all modern Web apps, SPAs and mobile apps do security these days.

"Look into OpenID Connect and OAuth2 -- they are the fundamental building blocks of modern application security. They enable single sign-on and allow all modern application types to securely call Web APIs."

Brock Allen, Application Security Architect, Solliance

What role does IdentityServer play in securing ASP.NET Core?
IdentityServer is the de-facto framework when your architecture requires a custom OpenID Connect and OAuth2 implementation, and as such it is recommended by the ASP.NET team. It allows you to design your single sign-on solution based on any requirements you have, and it allows any custom scenarios to authenticate to your web APIs. It integrates well with ASP.NET Identity, or any other (possibly legacy) identity framework.

What is the No. 1 worst thing any developer can do to make ASP.NET Core insecure?
As with so many other topics these days, security is complicated and specialized. Therefore it's important to have someone on your team who is knowledgeable in the current security topics. Making assumptions and/or not having the proper guidance is potentially dangerous.

What else do you think every developer should know about security and ASP.NET Core?
Programming is hard. Security is harder.

About the Author

Becky Nagel is the former editorial director and director of Web for 1105 Media's Converge 360 group, and she now serves as vice president of AI for company, specializing in developing media, events and training for companies around AI and generative AI technology. She's the author of "ChatGPT Prompt 101 Guide for Business Users" and other popular AI resources with a real-world business perspective. She regularly speaks, writes and develops content around AI, generative AI and other business tech. Find her on X/Twitter @beckynagel.

comments powered by Disqus


  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

  • What's New for Python, Java in Visual Studio Code

    Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

Subscribe on YouTube