9 Security

 

This chapter covers

  • Threat modeling
  • Configuring HTTPS to protect requests
  • Checking for SQL injection vulnerabilities
  • Accessing secrets safely
  • Authenticating HTTP requests with tokens
  • Authorizing access to resources

Most of the software you’ll write will be connected to the internet in some way. We’ve all seen the high-profile data breaches in the news. Even password managers (which you could reasonably expect to be secure) have been compromised. A breach could cost your company not only in reputation and lost customers, but also in ransom money. Although it’s impossible to make an application 100 percent secure, you can take a few straightforward approaches to make it harder for attackers to compromise.

Security in IT is like locking your house or car. It doesn’t stop the bad guys, but if it’s good enough, they may move on to an easier target.

—Paul Herbka, cybersecurity expert

9.1 Securing applications

A framework or library isn’t going to make your application secure. The topic of security is too vast for this book, but I’ll cover some of the basics. It’s helpful to start with an existing application, explore some of its vulnerabilities, and apply the tools and techniques available in .NET.

9.2 Threat modeling

9.3 Setting up HTTPS

9.4 Checking for SQL injection vulnerability

9.4.1 Adding an interceptor

9.4.2 Configuring the connection string safely

9.5 ASP.NET Core Identity

9.5.1 Setting up Microsoft authentication

9.5.2 Authenticating with Swagger UI

9.6 Authorization

Summary