Showing all posts tagged: 'security'

A 23-post collection

Using 'User Secrets' in .NET Core Console apps

Managing sensitive information and secrets in config files is something we all have to deal with on a daily basis. Unfortunately, this is also something that we still get wrong: a) config files with production secrets/keys b) source controll littered with secrets/keys c) obscure file transformations and processes to update secrets as we move from one environment to another. However, there are a few options available to us. For local development, NET Core has the notion of User Secrets which we can use to store sensitive information outside the application folder and away from source control. Azure Key …[read more]


Restrict public access to your Azure Web Apps with the IPSecurityRestrictions option

This is a little unknown gem that I've used a few times as I help customers secure access to their Azure Web Apps.. Traditionally, if one wants to restrict access to a website running on a VM (i.e IaaS) then they can make use of Firewalls to ensure that everything goes through a single endpoint and access is restricted. However, as we move to the cloud and further up the stack (PaaS or FaaS) we give lose some of that tight control for the benefit of using a managed service! But what if you wanted to run your website …[read more]


Enforcing HTTPS-only traffic and HSTS settings for Azure Web Apps and Azure Functions

I hope that by now your site is running under HTTPS. If not, you may want to read Troy Hunt's [blog post(s)](https://www.troyhunt.com/ssl-is-not-about-encryption/" target="_blank ) on the subject. He does a great job explaining the WHY. If your site's running on Azure Web Apps under the default naming convention <yoursitename>.azurewebsites.net, you have the option to enforce HTTPS using the Azure certificate. However, this is not recommended. Most likely, you'll have your site running under a custom domain. If that's the case, you'll need a custom certificate. There are many …[read more]


EF Core, String Interpolation and SQL Injection

EF Core has always provided support for inline SQL queries. This means that you could pass a T-SQL query to be executed through the current DbContext. A typical example would look like this: var term = "some search term"); var blogs = db.Blogs.FromSql($"SELECT * FROM dbo.Blogs WHERE Title = {term}") .OrderBy(b => b.Url) .Select(b => b.Url); This feature is great if you need to call a table function etc. I would urge that this feature is used in moderation and with careful consideration. Calling raw T-SQL requires that developers understand the potential …[read more]


Secure Azure ARM templates with Key Vault and VSTS

Azure ARM templates are the recommended way for standardising and automating resource deployments to Azure. The resource manager engine that drives the current portal and is also responsible for managing your infrastructure, where everything is a resource (VMs, WebApps, CosmosDB etc). ARM templates are JSON files that describe what your infrastructure looks like and comes with some great benefits: Infrastructure as Code Idempotent Source Control Tool flexibility Tighter security and control For this post, I would like to focus a bit on security and show you how to leverage some of the built-in Azure features to improve your overall Azure …[read more]


Securing Azure Storage Tables with SAS authentication and CORS in .NET

I'm currently working on a side project as an excuse to try some of the latest code features and functionality in [.NET Core](https://www.microsoft.com/net/download/core" target="_blank). It's a small project with a couple of models and basic CRUD. The project is going to touch everything new such as ASP.NET Core 2.0 Preview, .NET Standard 2.0 Preview, [Azure Storage SDK for .NET Core](https://www.nuget.org/packages/WindowsAzure.Storage" target="_blank)etc. It was a conscious decision as I wanted to see how the latest tooling and …[read more]


Securing ASP.NET Core application settings using Azure Key Vault

Azure Key Vault is one of my favourite services, competing for first place with Azure Functions. And .NET Core is my favorite framework for writing applications. Imagine, then, my suprise when I found out that my favorite tools can now work together! [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started" target="_blank ) is a cloud service for storing sensitive "secrets" and (encryption) "keys". Key Vault is simple, easy and indispensible when developing secure applications. It helps avoid the complexity of storing sensitive information in configuration files. This can be API passwords, …[read more]


How to fix Bitlocker issues on Windows 10

I like shiny new things. And when you work in tech, shiny new things are easy to acquire. Just switch to the new alpha/beta channel for your favourite toolset and you're sorted. However, all this comes with a massive disclosure: things can quite frequently go horribly wrong. But I love the excitement of trying new features and I'm quite happy to overlook any broken bits. I also do my best to report back to the developers. And for a long time I managed to ride the (innovation) wave without major issues. Ok, I had to reinstall things from time …[read more]