News

Q&A with Brock Allen: Top Tips for Securing ASP.NET Core

• By Becky Nagel
• 07/09/2018

ASP.NET Core brings many cutting-edge approaches to building Web applications, with updates to the security architecture being especially important in the modern framework.

To help developers get up to speed on the main components in ASP.NET Core for securing Web applications and Web APIs, security expert Brock Allen will present a session titled "Modern Security Architecture for ASP.NET Core" at the September 17-20 Visual Studio Live! conference in Chicago.

To share more expert security insights from Allen in advance of the conference, we recently quizzed him about his top tips for securing ASP.NET Core, including his No. 1 top architecture tip and the worst thing any developer can do to make ASP.NET Core insecure.

What are the top challenges of securing ASP.NET Core (being that it's cross-platform and open source) vs. ASP.NET?
It's actually a pleasure to build security solutions in ASP.NET Core as compared to ASP.NET. The main reason is that it's a much more modern platform, and thus it's positioned to accommodate modern security design patterns. The older ASP.NET framework did not really have as many investments in modern security, so if you do need to layer modern security on those older applications, then they often require additional and specialized effort to ensure they're protected properly.

Is there anything about it being open source and cross platform that makes it easier to secure in an enterprise vs. ASP.NET?
Perhaps not an aspect of it being open source, but the release cadence that the ASP.NET Core team is taking is making it a challenge for enterprises to keep up with the latest and greatest features and changes being introduced into ASP.NET Core. Obviously, the intent of these frequent releases and changes is to improve the product, but enterprises often have a hard time keeping up. For example, in the brief history of ASP.NET Core, the authentication system went through a complete overhaul from version 1 to version 2.

What features of ASP.NET Core help ensure middleware authentication will work well?
As mentioned in the previous question, the authentication system went through an overhaul in ASP.NET Core 2. This rework allowed for a more flexible (albeit more complicated) architecture. Basically, prior to ASP.NET Core 2 there were separate middlewares for each type of authentication (cookies, Google, Facebook, OpenID Connect, JWT bearer and so on), and they didn't coordinate well with one another. In ASP.NET Core 2, the system was reworked to only have a single authentication middleware, and it coordinates the handlers that perform the specific types of authentication (cookies, Google, OpenID Connect and so on). Perhaps the discussion is a bit pedantic, but all in all, it is a better design.

What is your No. 1 top architecture tip for securing ASP.NET Core?
Look into OpenID Connect and OAuth2 -- they are the fundamental building blocks of modern application security. They enable single sign-on and allow all modern application types to securely call Web APIs. You should be building your security architecture around the security patterns that these protocols enable. It's how all modern Web apps, SPAs and mobile apps do security these days.

What role does IdentityServer play in securing ASP.NET Core?
IdentityServer is the de-facto framework when your architecture requires a custom OpenID Connect and OAuth2 implementation, and as such it is recommended by the ASP.NET team. It allows you to design your single sign-on solution based on any requirements you have, and it allows any custom scenarios to authenticate to your web APIs. It integrates well with ASP.NET Identity, or any other (possibly legacy) identity framework.

What is the No. 1 worst thing any developer can do to make ASP.NET Core insecure?
As with so many other topics these days, security is complicated and specialized. Therefore it's important to have someone on your team who is knowledgeable in the current security topics. Making assumptions and/or not having the proper guidance is potentially dangerous.

What else do you think every developer should know about security and ASP.NET Core?
Programming is hard. Security is harder.