asp:review
Visual Input Security 1.0
Protect Your ASP.NET Web Sites
By Don Kiely
Security is difficult. And Web security ? including thatfor ASP.NET applications ? is amongst the most difficult kinds of security toget right, because, by its very nature, applications are permanently connectedto the Internet. Peter Blum has risen to the challenge and released VisualInput Security 1.0 (VISE). This collection of powerful tools, validators, andsupport engines makes it possible for mere mortals to develop highly secure Websites.
VISE is designed to protect your site from the variouskinds of input attacks currently in vogue (including SQL injection, cross-sitescripting, and tampering), as well as to help divert repeated attacks. Asdescribed in the documentation, it is built on a best practice, multi-partstrategy that is designed to:
- block exceptions and diagnostic errors fromgetting into the hands of hackers (which they could exploit);
- log those exceptions for your own use;
- detect and block hacking attempts on every inputof every page in your Web application; and
- log the hacking attempts to keep you informed.
VISE is a comprehensive product consisting of severalkinds of components: a security analysis report to provide you with feedbackabout the security of each page, page and field validator controls that providea variety of protection services, logging to help you monitor a site, anddetection engines for SQL and script injection attacks. What is most impressiveis that it demonstrates defense in depth, with a variety of tools andapproaches that can add significant resilience to a site.
VISE is built on top of the company?s ProfessionalValidation and More (VAM) product, a collection of 22 validators that go wellbeyond those in ASP.NET. In this article I?ll focus on VISE, but keep in mindthat VAM provides much of the necessary infrastructure to drive the VISEsecurity features. Also keep in mind that because VAM is priced on a per-serverbasis (US$100 per server for the full Level 2 package, or US$500 for a sitelicense), your cost will be more than the VISE package alone. However, thetotal cost is eminently reasonable for all the features you get.
Protecting a Page
We Web developers might wish for a product that we caninstall and forget about while enjoying rock-solid security. But such a dreamis a fantasy until the Web itself becomes more secure. Even with VISE, it takessome hard work to secure input pages. But at least with VISE, the tools andcomponents eliminate some of the guesswork and provide a solid infrastructurefor security.
For each input page in your application, you?ll need toperform several steps using both ASP.NET and VISE tools. Start by convertingany existing ASP.NET validation controls to VAM controls. You?ll need to do acomplete conversion because VAM provides an entire framework for validationthat is quite different from that in ASP.NET (VAM provides a tool to automatethe process, Convert Page to VAM.exe). It?s a little tedious to convert eachpage one at a time with the tool, but it?s much faster than doing it by hand.It does tasks such as add VAM @Register tags to a page and converts IsValid andValidate method calls to VAM?s version.
The next step is to turn off ASP.NET 1.1?s validateRequestprotections. From now on you?ll be relying on VAM?s much more robust version toprotect your pages.
Next, add VISE?s PageSecurityValidator server control tothe page. This control provides most of the page-wide security protections, aswell as lets you turn on and off specific kinds of protections, such asdifferent types of scripting attack protection. You?ll also use the features ofthis control to produce security analysis reports.
Next, run the page. The Security Analysis Report generatesa report for the page automatically. Check the report. Now go back and takecare of any security holes the report reveals, including adding more validationcontrols from both VAM and VISE to tighten security on the page.
For example, you might use the FieldSecurityValidatorcontrol on text boxes that accept data that is stored as text. ItsSQLDetectionLevel property gives you control over how strict its parsing is forSQL injection. Its HTMLTagMode and HTMLTags properties give you control overthe HTML tags permitted. It also has SQLCommunicationMode andScriptCommunicationMode properties that let you control if an attack is loggedand how an error is shown. When it detects an attack you can have it logeverything without reporting errors to the user. You can also have it respondto severe errors by redirecting to another page. These responses are designedto let legitimate users have a pleasant experience at your site whilefrustrating hackers attempting to hack the site.
You can also eliminate what VISE calls ?safe? controlsfrom the overhead of protection. A safe control never returns unsafe data tothe server, such as buttons and checkboxes. You specify safe controls byemploying the PageSecurityValidator using the ThisControlIsSafe method.
Whew! That?s already a lot of work, but the controls andtools in VAM and VISE have done most of the hard stuff. But now you need tokeep pushing on, adding protections such as specifying character encoding forthe page, checking for and protecting any querystring or cookie names notcaught by the Security Analysis Report, making sure that querystring parametersdon?t contain sensitive information, and so on. And you can use VISE?s SlowDown Manager to slow down page responses to a hacker when it detects an attack.
VISE Tools
You can carefully hand craft Web pages all day withsecurity firmly in mind, but it is all too easy to let little holes slip in,such as forgetting to add validation to a single control. Such a slip is allthat is needed to give an attacker the opening to take control of your site. Withthat in mind, one of the best features of VISE is the Security Analysis Report(see Figure 1). For any page you choose to create the report, it provides acomplete analysis of the routes for visual input attacks, including visible andhidden form fields, cookies, and querystrings.
Figure 1: The Security AnalysisReport can provide an analysis of any Web page in your application. It examineseach input control to make sure that they are protected against attacks viavisible and hidden form fields, querystrings, and cookies.
Setting up a page to produce an analysis report requires abit of painstaking instrumenting, most of which is handled by the stepsrequired to protect a page (as previously discussed). However, VISE doesn?tgenerate a report automatically for every page in your site. Because most siteshave input on only a handful of pages, and none on the vast majority, analyzingevery page would be a waste of processing cycles.
You can?t have security without logging and auditing, soVISE provides the LogAndRespond engine. The engine supports logging problemsand attacks to the Windows event log, a text file, e-mail, or to custom logsusing your own code. It can also respond to attacks by automaticallyredirecting to another page or throwing an exception. Because many attacksrequire persistent manual or automated probing of a page, these responses canmake it so hard to hack your site that hackers will look elsewhere beforediscovering an overlooked hole.
VAM enhances the visual development environment in variousways, and includes an assortment of tools to make it easier. One is the ASP.NETDesign Mode Extender, a VS.NET add-in that provides easy access to theweb.config file and file paths to your Web applications. It automaticallyconfigures an application at design time to use the enhanced design features,and provides a tool to automatically configure the application (see Figure 2).
Figure 2: The ASP.NET Design ModeExtender utility automatically appears and sets up required paths for you whenyou create a new ASP.NET project.
The VISE Package
Installing VISE is a moderately daunting mix of automatedsetups and manual actions, and the complexity is far more than doubled if youdon?t already have the VAM product installed. The steps are laid out inpainstaking detail in PDF installation guides (with more than 30 pages for eachproduct), including use with VS.NET and DotNet Matrix, various developmentscenarios, and troubleshooting. And, of course, you need to perform most of thesteps on both development and production machines, as well as some of the stepsfor each new ASP.NET application.
Pay close attention to these documents and follow themcarefully; otherwise, you?ll not be happy with the results. For example, I hada hard time getting the licenses installed correctly. The instructions areclear and complete, but I simply glossed over the steps too quickly and thenjust couldn?t see my multiple errors. The licensing scheme is not onerous, butit requires careful attention to configure.
Although I suppose more of the installation process couldbe automated, VISE and VAM poke into so many corners of VS.NET and ASP.NET thatit would be hard to simplify the process. Besides, it proved to be a great wayto familiarize myself with the many components of the products as I exploredthe copious documentation. However, closer integration with the templates for anew ASP.NET application would be a big timesaver.
Like any good, contemporary .NET product, VISE reliesheavily on .config files to control its many options. As you can see in Figure3, the files are heavily commented with many standard options.
Figure 3: The VISE .config fileshave most security features enabled, with many more already set up for use. Simplyuncomment an option and you?re done!
The package seems to have all the flexibility you need foruse on a hosted server when you don?t have admin access to all of the IISconfiguration options. But you?ll want to take a careful look and make sure thatit will work in your environment, particularly because there is so much work insetting up VAM and VISE on a server.
The documentation in VAM and VISE is so detailed andcomplete, it?s almost scary. There?s no way I?m going to ever show any of myclients the docs because that will raise the bar way too high for my owndocumentation. The author makes effective use of the features of the AdobeAcrobat PDF format, and includes plenty of samples, step-by-step descriptions,and some good explanations of security concepts.
It hasn?t been since Dan Appleman released his firstDesaware products that I remember a development tool vendor being so concernedthat his customers both buy into and understand the issues in using a product.Peter Blum is quite careful to make sure that users understand exactly what hisproduct can and cannot do to protect Web sites, and he offers plenty ofeducational information along the way. Security is difficult, and to tell thetruth, VISE really only makes it more difficult. But VISE also dramaticallyincreases the chances that your site will be well protected against knownthreats and will slow down hackers using new attacks.
Attention to Detail
One of the most impressive things about VISE is theattention to detail provided by the author. You have the maximum flexibility toadapt the product to various environments, such as the option to install theDLLs to the GAC or an application?s \bin folder to accommodate deployment tohosted servers. The documentation is full of samples about how to do things inyour application, and many options are included but commented out so you don?thave to write the code. There are even detailed instructions about using theproducts in partial trust environments. And everything has theAllowPartiallyTrustedCallers attribute. Kudos to the author for enablingpartially trusted development!
Dropping VISE into an ASP.NET application is not going toautomatically make it secure against attacks. That?s an impossible dream atthis point in the Web?s development. But VISE provides strong tools andfeedback that make robust security possible and financially feasible for real-worldapplications. I highly recommend VISE for all Web developers who are seriousabout building secure sites.
Don Kiely, MVP,MCSD, is a senior technology consultant, building custom applications as wellas providing business and technology consulting services. His development workinvolves tools such as SQL Server, Visual Basic, C#, ASP.NET, and MicrosoftOffice. He writes regularly for several trade journals, and trains developersin database and .NET technologies. You can reach Don at mailto:donkiely@computer.org.
Rating: ?????
Web Site: http://www.peterblum.com
Price: US$250(requires company?s Professional Validation and More product at an additionalcost)