ASP.NET 2.0 Internet Security Reference Implementation

The ASP.NET 2.0 Internet Security Reference Implementation is a sample application complete with code and guidance.  Our purpose was to show patterns & practices security guidance in the context of an application scenario. We used Pet Shop 4 as the baseline application and tailored it for an internet facing scenario.  The application uses forms authentication with users and roles stored in SQL.

Home Page/Download

3 Parts
The reference implementation contains 3 parts:

  1. VS 2005 Solution and Code 
  2. Reference Implemenation Document
  3. Scenario and Solution Document 

The purpose of each part is as follows:

  1. VS 2005 Solution and Code - includes the Visual Studio 2005 solution, the reference implementation doc, and the scenario and solution doc.
  2. Reference Implemenation Document (ASP.NET 2.0 Internet Security Reference Implementation.doc) - is the reference implementation walkthrough document containing implementation details and key decisions we made along the way.  Use this document as a fast entry point into the relevant decisions and code.
  3. Scenario and Solution Document (Scenario and Solution - Forms Auth to SQL, Roles in SQL.doc) - is the more general scenario and solution document containing key decisions that apply to all applications in this scenario.

Key Engineering Decisions Addressed
We grouped the key problems into the following buckets:

  • Authentication
  • Authorization
  • Input and Data Validation
  • Data Access
  • Exception Management
  • Sensitive Data
  • Auditing and Logging

These are actionable, potential high risk categories.  These buckets represent some of the more important security decisions you need to make that can have substantial impact on your design.  Using these buckets made it easier to both review the key security decisions and to present the decisions for fast consumption.

Getting Started

  1. Download and install the ASP.NET 2.0 Internet Security Reference Implementation.
  2. Use ASP.NET 2.0 Internet Security Reference Implementation.doc to identify the code you want to explore
  3. Open the solution, Internet Security Reference Implementation.sln, and look into the details of the implementation
  4. If you're interested in testing SSL, then follow the instructions in  SSL Instructions.doc.