This guide presents a practical, scenario driven approach to designing and building secure ASP.NET applications for Windows 2000 and version 1.0 of the .NET Framework. It focuses on the key elements of authentication, authorization and secure communication within and across the tiers of distributed .NET Web applications.

Free Ebook on ASP.NET Security: Building Secure ASP.NET Applications »Authentication, Authorization, and Secure Communication.pdf

If you already know how to build secure applications, are you able to apply what you know when you build .NET Web applications? Are you able to apply your knowledge in today's landscape of Web-based distributed applications, where Web services connect businesses to other business and business to customers and where applications offer various degrees of exposure; for example, to users on intranets,extranets, and the Internet?

Consider some of the fundamental characteristics of this connected landscape:

• Web services use standards such as SOAP, Extensible Markup Language (XML), and Hypertext Transport Protocol (HTTP), but fundamentally they pass potentially sensitive information using plain text.
• Internet business-to-consumer applications pass sensitive data over the Web.
• Extranet business-to-business applications blur the lines of trust and allow applications to be called by other applications in partner companies.
• Intranet applications are not without their risks considering the sensitive nature of payroll and Human Resource (HR) applications. Such applications are particularly vulnerable to rogue administrators and disgruntled employees........more

This guide is not an introduction to security. It is not a security reference for the Microsoft .NET Framework - for that you have the .NET Framework Software Development Kit (SDK) available from MSDN, see the "References" section of this guide for details. This guide picks up where the documentation leaves off and presents a scenario-based approach to sharing recommendations and proven techniques, as gleaned from the field, customer experience, and insight from the product teams at Microsoft.

The information in this guide is designed to show you how to:

• Raise the security bar for your application.
• Identify where and how you need to perform authentication.
• Identify where and how you need to perform authorization.
• Identify where and how you need to secure communication both to your application (from your end users) and between application tiers.
• Identify common pitfalls and how to avoid them.
• Identify top risks and their mitigation related to authentication and authorization.
• Avoid opening up security just to make things work.
• Identify not only how, but also when to use various security features.
• Eliminate FUD (fear, uncertainty, and doubt).
• Promote best practices and predictable results.