Made a rather complex Asp.Net Core (2) App for a NGO, deployed on Azure, do we need WAF?
Thanks for your answer(s).
(Got the idea that most providers offer it for free. Money is a bit of an issue for the NGO).
I'm afraid that your question is not suitable for asking on StackOverflow, which seems to be not a technical issue about coding as my view. Infomation Security forum is more suited to ask for your needs, I think so.
However, Considering for reducing the cost for using some specifical secure services or features, such as WAF, you can directly realize some simple features by using Filters in ASP.NET Core as a simple secure middleware for your app, or search on GitHub to find some opensource components that features could satisfy your needs to integrate into your app.
As references, there are two GitHub repos which you can refer to.
dustinmoris/Firewall
saineshwar/Secure-ASP.NET-Core-MVC-Application
Hope it helps.
Related
I need of an information. I'm new in develop web application. I should use php and javascritp but it 's possible, in the future, I could use other languase like Java. During these days I'm following a course on the best practice to write secure code.
Is there any guide/book or any other valid resource, where I can find an explanation about the differrent kind of attaks on a web application and the ways to solve them?
Thanks
Luca
If you're looking for resources to secure your applications on the internet, the first thing to try is OWASP, or Open Web Application Security Project. Here are some useful articles about what you're looking for:
OWASP: Web Security Testing Guide
OWASP: Cheatsheets
OWASP: General Information
All of the resources above will show you the recommended ways to secure your web application against threats. I think it's more than enough for the first step in the security world.
the company has created a cloud solution , but some of the customers require the app to be hosted on their infrastructure which might lead to some serious security threats such as decompiling the code.
the web application uses dynamic frameworks such as spring,JPA,struts,DWR which makes the obfuscation realy difficult (i tried using Proguard).
is obfuscation the only solution ? is it even worthwhile ? any opinnion would be helpful.
The easiest (and pretty standard) thing would be to make it part of the license agreement that they may not reverse engineer or otherwise mess with your software. This assumes that you trust your business partners to keep a contract (which one could argue is a prerequisite to doing business with them in the first place).
is obfuscation the only solution ? is it even worthwhile ?
You could refuse to deploy the code to customers if you cannot trust them.
If treating your clients that way is necessary is up to you to decide. I would assume that they have better things to do than try to rip you off. But if you are so worried about it, a pure ASP model (code never leaves your servers) seems the only solution for you.
As an alternative you could deploy your service in the form of a closed virtual appliance as suggested in What are the problems of deploying an application in a virtual machine file?
We're trying to implement the Gatekeeper Design pattern as recommended in Microsoft Security Best Practices for Azure, but I;m having some trouble determining how to do that.
To give some background on the project, we're taking an already developed website using the traditional layered approach (presentation, business, data, etc.) and converting it over to use Azure. The client would like some added security built around this process since it will now be in the cloud.
The initial suggestion to handle this was to use Queues and have worker roles process requests entered into the queue. Some of the concerns we've come across are how to properly serialize the objects and include what methods we need run on that object as well as the latency inherent in such an approach.
We've also looked setting up some WCF services in the Worker Role, but I'm having a little trouble wrapping my head around how exactly to handle this. (In addition to this being my first Azure project, this would also be my first attempt at WCF.) We'd run into the same issue with object serialization here.
Another thought was to set up some web services in another web role, but that seems to open the same security issue since we won't be able to perform IP-based security on the request.
I've searched and searched but haven't really found any samples that do what we're trying to do (or I didn't recognize them as doing so). Can anyone provide some guidance with code samples? Thanks.
Please do not take this the wrong way, but it sounds like you are in danger of over-engineering a solution based on the "requirement" that 'the client would like some added security'. The gatekeeper pattern that is described on page 13 of the Security Best Practices For Developing Windows Azure Applications document is a very big gun which you should only fire at large targets, i.e., scenarios where you actually need hardened applications storing highly sensitive data. Building something like this will potentially cost a lot of time & performance, so make sure you weigh pro's & con's thoroughly.
Have you considered leveraging SQL Azure firewall as an additional (and possibly acceptable) security measure? You can specify access on an IP address level and even configure it programmatically through stored procedures. You can block all external access to your database, making your Azure application (web/worker roles) the only "client" that is allowed to gain access.
To answer one of your questions specifically, you can secure access to a WCF service using X.509 certificates and implement message security; if you also need an SSL connection to protect data in transit you would need to use both message and transport security. It's not the simplest thing on earth, but it's possible. You can make it so only the servers that have the correct certificate can make the WCF request. Take a look at this thread for more details and a few more pointers: http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/1f77046b-82a1-48c4-bb0d-23993027932a
Also, WCF makes it easy to exchange objects as long as you mark them Serializable. So making WCF calls would dramatically simplify how you exchange objects back and forth with your client(s).
I have implemented some pages for my webproject. However, now I would like to add security.
I will have a couple of roles, like admin, user, other and some pages shall only be accessable for the admins, some for the users and so on.
If its intresting, Im using Hibernate for the database. I plan to store the roles and users in the database.
Can you help me to tell the best practice (if any) for a scalable solution for implementing the security in my webproject? Links, books or a good example is very grateful =)
Best regards
Apache Shiro is a new and supposedly very elegant and easy to use security framework.
Spring security may be suitable for your needs.
http://static.springsource.org/spring-security/site/features.html
BTW which IDE you are using?
You can undoubtedly visit OWASP web site..The OWASP web site provides you on every bit of information about the potential security attacks/threats to a web application..
The website will provide you all the information related to a particular attack/threat and also the possible solution to avoid the threat..
You can even download the ESAPI jar provided by OWASP which provides ample amount of functionalities to handle security attacks/threats. It will considerably reduce your development time.
Here's the link to the website
https://www.owasp.org/index.php/Main_Page
Based on the underlying technology you are using you will get relevant solutions to avoid attacks/threats.
Also you can store the names of the module or the URL in the DB and you can have a mapping between roles and the module. Based on the role of the user you can fetch the module and display respective modules to the user.
You can further visit this link for some more details on when to use SHIRO and when to use EASPI.
Apache Shiro & Java Security for Novicesenter link description here
But I am sure that after going through EASPI web site and few days of studying security attacks you can easily use EASPI to provide enhance security feature to your web application.
Are there any tools that go beyond requiring deep and intimate knowledge of every configuration option and nuance and will just setup an application with a minimum of inputs. Something like a wizard that produces the XML configuration based on those simple inputs. I don't care about security I just need the service to work. Ideally the tool would be able to setup IIS6 as well or at least with a given set of options it would produce a list of steps I needed to complete in IIS.
The Microsoft Service Configuration Editor is no better than direct editing of the XMl. I did find a web site that has the right idea but it wasn't able to solve my simple installation. (http://www.noemax.com/support/wcf_binding_configuration_wizard.html).
Is there anything out there that puts some convention into play over this mountain of configuration?
WCF configuration can look very daunting at first, indeed! I like that configuration wizard you linked to - why wasn't it good enough for you?
I don't know of any tool right now, that would solve your problem and help you figure out the proper configuration - it really boils down to learning the ropes and getting to know the ins and outs of it, I'm afraid.
Basically, what I've learned is : don't even start to imagine all the things you could do - try to focus on what you should do (and what you need).
Really, it boils down to about five scenarios as outlined in the excellent book "Programming WCF" by Juval Lowy:
intranet apps (use the NetTcp binding, Windows security)
internet apps (use the wsHttp binding if ever possible, username/pwd or certificates for security)
business-to-business apps (use whatever binding makes sense, secure by certificates)
queue message delivery (MSMQ)
no-security apps (legacy ASMX support, interop with "dumb" webservice clients)
Basically, pick the one you need, and from there, you're pretty much set as to what to do and how to do it. I would definitely recommend checking out Juval's book - excellent excellent resource!
So the question is: which category does your app fit in? Based on that, you can pretty much determine all that's needed from there.
Also, I watched two screencasts that really helped me get over the heaps of configuration options in WCF, and focus on what's really important:
Extreme WCF with Miguel Castro
Demystifying WCF with Keith Elder
Both gave me a good feel for what configuration is really needed - and what is just fluff.
Hope that helps some!
Marc