This post originally appears on CodeProject.com 

I’ve been spending a lot of time thinking about application security recently. This used to be one of those topics I would plan to implement last when I read specification documents for projects. “Security is easy … just put a few If/Then statements around the things that need to be secured and we’re done, right?” Then I went shopping at a large American retailer in the winter of 2013. Their systems were compromised and three months later, my credit card was shut off while I was attempting to pay for dinner at a nice restaurant. That hurt … and security of applications suddenly became a problem that hurt me in a REAL way.

When I think about all of the .NET applications that I have written over the last 10 years, I’m sure there are many features that could use an improvement to their authorization policies. Perhaps that customized authentication provider I wrote could be hardened a bit more. I think I’ve tried to play the security expert too much in the past, and if I were in a place to maintain those applications today, I would be thinking real hard about how to implement better security in them. After doing some research and looking at the new techniques published by Microsoft for securing their frameworks, I think I found a third party solution that does a great job with green-field and brown-field applications.

I’ve been reviewing Novalys Visual Guard for the last 2 weeks, and found some really interesting nuggets in this package that would make my network administrators stand up and take notice. Let’s start with the basics: Visual Guard will let me configure a secure repository for my organization in several mediums including Microsoft SQL Server, Oracle Database, and a file share. In this repository, I can connect Active Directory or any number of third party OAuth providers for my users. Sweet! However, storing user credentials is just the tip of the iceberg.

User Authentication is the door that opens to get access to an application. It is your logon page, the logon screen, and the persisting of those credentials for the duration of time that someone is using one of your secured applications. Notice the use of the plural there: applications. Visual Guard allows me to configure a security repository that can administer many applications for a shared user base. With theVisual Guard console, I can clearly see what applications are managed and the permissions available inside of each application. Let’s go over that again: permissions for an application are managed outside of the application.

Even better than permissions managed outside of the application, I can configure multiple servers to manage the authentication and authorization rights in my application. That gives me scalability, and according to the manuals that I read through, it is even possible to configure Visual Guard to allow management of users and permissions with a web based console. There’s a ton of flexibility in the deployment of the Visual Guard server, and I’ve only just scratched the surface.

The web-based console can have its look and layout customized, even integrated into my application so that it appears seamlessly alongside my content. I can then review and manage security from anywhere in the world, with any device that can connect to my website.

The windows console shows a tree of information about an application, like this one for the Console itself. You can clearly see the permissions available under the Visual Guard Console – Permissions folder. These permissions are grouped into Permission Sets and then assigned to Roles. Finally, roles can be assigned to users to grant authorization inside of your applications. With one set of credentials, I now have a single-sign-on across all applications that are integrated with my instances of the Visual Guard server.

The killer feature here is the integration with your application. This is where I really saw an application for those long-life applications that I wrote many years ago. You can add Visual Guard on to an existing web application without having to recompile! Due to the provider model of the ASP.NET web forms project, as long as your login page is using the security providers defined in web.config, you should be able to swap out the authentication provider for Visual Guard. After that, the addition of an HttpModule is all you need to secure the rest of the application. Visual Guard secures your application by intercepting normal events as they occur, and allows you to specify what actions to take at those events.

Each permission defined in Visual Guard can have Property Actions or Script Actions associated with it. These are codified changes to make to your application, written and managed in the administrative console and executed at run-time of the application. You can do something as simple as create a ViewGrid permission and set the Visible property on a grid to true if the user has that permission. Once the permissions are defined, this can be managed by your operations or security teams with no intervention from a developer required. There are more advanced integrations available that involve a developer modifying code to provide additional security checks if that is what you require. However, this is too cool for me to be able to delegate the authorization checks of my application to the operations team!

Another interesting feature that Visual Guard could help me with is multi-tenancy. I have architected and written several large multi-tenant applications in my past, and the story of data access and security is always a sticky one to describe and get correct with thousands of lines of code to manage. Visual Guard has built in inheritance of permissions from group to child-group. This hierarchy is a nightmare to manage in a SQL database, and I can now rely on Visual Guard to apply that hierarchy and data-filter for me.

Finally, there is always a question of accountability. Who performed what secured operation and what time in the application? In the past, I’ve written huge database tables and logging mechanisms to provide this auditability of secure content. Visual Guard provides an audit report that outputs all records of security checks in your applications. After having handcrafted several of these services, I am happy to see that I don’t need to do that again. According to the docs from Novalys, Visual Guard is HIPPA and SOX compliant … another headache that I can leave to professionals who are focused on that task.

My mindset on security has changed. No longer do I view it as an afterthought that can be added to my code once I have the core functionality working. Now I see security as something that I can partner with my operations team to implement. I can enable them to secure the services we are producing with the help of Novalys Visual Guard. This leads to more secure systems, security officers who are more aware of how software services are secured and more secure control of authorization capabilities within those facilities.

Disclosure of Material Connection: I received one or more of the products or services mentioned above for free in the hope that I would mention it on my blog. Regardless, I only recommend products or services I use personally and believe my readers will enjoy. I am disclosing this in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.

This morning I was renewed as a Microsoft MVP in ASP.NET and IIS.  This is a tremendous validation of the efforts I have put in through conference appearances, Pluralsight courses, blogging, and writing of other articles.

I’m going to be writing a lot more in the coming weeks and months on the advances in ASP.NET vNext, my next Pluralsight course, and I’ve got an app idea or two in the plans as well.  

Stay with me and I think you’ll find some neat angle brackets, curly braces, and web goodness coming from yours truly before the summer is out.

I’ve been working a lot on the ASP.NET vNext framework over the last 2 months, and have only started to publish some of my work and my findings.  I’ve given a presentation at Philly Code Camp explaining a bit about how to start working with this new edition of the framework.  Now, I want to start reporting on what’s going on and give you some pointers to follow as the framework develops over the next few months.

In this post, I want to give you a collection of twitter accounts to follow and learn more about ASP.NET directly from the team.  This is my top ten list to follow for announcements and discussion of the product:

@AspNet

The grand-daddy of ASP.NET accounts.  Just about all activity around the framework is reported from this account.  

@ScottGu

Scott Guthrie – the guy who created ASP.NET.  He’s also the executive VP at Microsoft who oversees Windows Azure and all server products, including ASP.NET

@shanselman

What can I say about Scott Hanselman that you haven’t heard already?  Scott has several podcasts, a very good blog, and appears in many training videos for the framework.  Why aren’t you following him already?

@DavidFowl

This is David Fowler… He is one of the lead authors on the vNext framework.  If you are watching the evolution of the code on GitHub, you will become very familiar with his commits and coding style.  David is also one of the original authors of SignalR.

@DamianEdwards

Damian is a project manager at Microsoft on the team, and leads the teams that are building out web forms and SignalR for the vNext framework.  Damian loves Australian cricket, so be ready to learn a thing or two about the sport.  He is also one of the original authors of SignalR.

@MKristensen

Mads Kristensen is responsible for VS Web Essentials and the Visual Studio editor support for the ASP.NET framework.  He’s built the browser link feature and is a hardcore student of the W3C standards and browser capabilities.

@danroth27

Daniel Roth is a project manager on the team and responsible for MVC, WebAPI and much of the cloud optimized server-side framework that you have seen referred to as Project K.  

Keep an eye on these accounts, and you’ll be updated as things evolve.  Of course, you should also follow @csharpfritz so that you can get my latest unbiased and hardcode opinion of what’s new and how it impacts your projects.  

My latest course with Pluralsight is finally complete and now available!  After months of agonizing over the last bits, I finally have published “Mobilize Your ASP.NET Web Forms” for all to review.

In the first week that it is available, the course has been evaluated with a 4.4 out of 5 rating by 14 viewers.  Thank you for your reviews!

This was an important course for me to complete for a number of reasons:

1. My first “solo” course that I delivered.  Previously, I contributed to “One ASP.NET from Scratch” with Jesse Liberty.
2. This was a topic that hit home with me.  I had received a lot of questions and criticism about ASP.NET web forms NOT being able to deliver effective mobile content
3. I have spent a lot of time over the last nine months with my colleagues at Telerik to ensure that our UI for ASP.NET product had a killer mobile story

What’s Next?

I have a number of course ideas that I am kicking around.  I’m submitting a proposal today for another ASP.NET course at Pluralsight.  Once I get the go-ahead, I’ll drop hints as to the content, but I want to keep it quiet ahead of release to avoid any competition.

After a whirlwind week through the monstrous training event that is Microsoft’ Tech Ed conference, I can finally write this post to recount my experience of that week in Houston.

I arrived at the event half-way through the first day, and walked the six blocks from my hotel to the conference center.  After negotiating the maze of closed sidewalks, locked doors, and blocked escalators, I eventually found my way to registration and the conference speakers room.  At other events, I am familiar with the speakers room containing several long tables with enough space for 20-30 to power up laptops and review their content.

At TechEd, with more than 500 break out sessions, I did not expect the mammoth room that opened up before me.  There was easily room for 100 to work, and every seat was taken on this Monday afternoon.  I noticed a number of people in the room whose sessions I had attended in years past, and understood at that point I made it:  I was at the big show, and this was going to be my turn to present.  The staff took my information and handed me what I had been coveting for years, a pair of speaker shirts – proof positive that I was where I belonged.

In the weeks leading up to arriving in Houston, I had this feeling that I was just pretending that I got the invitation to speak at TechEd.  I had been wanting to be a lecturer at this show since 2008, and there was just no WAY that I could finally have the change to do it.  This moment when I left that room with two purple speaker shirts over my shoulder was tangible verification  – no more denial.

I attended and worked at the Microsoft ASP.NET experts booth on Monday evening and Tuesday afternoon.  Including Tuesday evening, where I appeared at an “Ask the Experts” event, I felt like I was really getting into a groove.  I was wearing my speaker badge and colors, and representing the content well.  … and then Wednesday happened.

I couldn’t sleep Tuesday night.  Maybe it was the killer party that my colleagues at Telerik put on, maybe it was nerves, but it certainly was not for lack of rest.  I woke at 4am on Wednesday morning and got to reviewing and rewriting my demos for the 5pm presentation.  I calculated that I needed to leave the hotel by 2pm to make it in time for my talk.  All morning I tuned, pruned, and practices my session.  I added a joke or two, moved some code around until I got it just the way I wanted it…. and then I left my hotel at 1:30pm.

After a quick lunch at Chipotle across the street, I walked to the venue.  I made my way to the speaker room and sat for a few minutes, re-reading my paper notes and slides one final time and then I left for my room.  When I arrived, I found my friend Mads still presenting his session on Performance Tuning ASP.NET.  It was a great session, with all of the seats filled and standing room only remaining.  

Once that session ended, I wired up my mic and got on stage.  After connecting my laptop to the series of displays that I needed for this session, I looked out at a mostly empty room and thought: Holy crow, there’s a lot of seats out there.  I’m not usually nervous when I look out at my audience, but there was a lot of build up to this one for me, and I started to feel it.  I wandered to the back of the room and took a picture or two, and started to get my mind right.  I like to think of a moment in the first episode of Lost, where Jack explains that he’s only going to be afraid for 5 seconds and then block it out.  … and that’s what I did.