ASP.NET Security Consultant

I'm an author, speaker, and generally a the-way-we've-always-done-it-sucks security guy who specializes in web technologies and ASP.NET.

I'm a bit of a health nut too, having lost 50 pounds in 2019 and 2020. Check out my blog for weight loss tips!

A New Approach to Web Security

Published on: 2018-06-26

Attacking a website is surprisingly easy. YouTube has several videos of hackers breaking into a website within minutes. One example I saw had a hacker break into a site in two minutes flat using an open source tool popular with ethical hackers, but since I couldn't find any examples that I could be sure were legally done I decided against linking to them here. But imagine, if you would, watching a hacker pull all of the usernames and passwords from a website just by giving a URL to a tool, telling it to list all the databases, then list all the tables, columns, and finally column contents, all in two minutes. It should make you think twice about the security for your own website.

But website security doesn't change quickly enough to keep up with the times. The Open Web Application Security Project periodically releases a Top 10 list of security vulnerabilities, but the list doesn't change much from list to list. To see what I mean, here's a comparison of the 2013 list to 2017.

We have defenses against most of these attacks that work quite well; developers just don't apply these defenses consistently. And between the sheer number of places where these defenses need to be applied and the pressure to get features out quickly, it can be understandable when something is missed. But the consequences of a security failure can be enormous, in terms of IT hours, legal costs, and reputational damage. One estimate states that the average cost of a security breach is $17 million.

Throw on top of that the ever-changing nature of attacks—not only do we have ransomware and cryptocurrency mining attacks to worry about now, but also countries like North Korea and Russia are carrying out cyber-attacks on the U.S. government and, in some cases, individual companies.

Not adapting to these threats is asking to get hacked.

Think you're safe? One brand new website monitored its traffic and got more than a quarter of a million attack attempts in a single day. Any website has easily thousands of places a hacker can try to get in. How confident are you that you've locked them all down?

Current website defenses focus on stopping specific, common types of attacks. We have libraries for XSS prevention, approaches for preventing SQL injection, CSRF attack prevention, etc. What more can we do?

To create a more comprehensive approach to website security, I've created a new security-related product. It's a wrapper that sits on top of ASP.NET Core (with the potential for additional versions depending on demand) that watches for potentially malicious traffic, then automatically blocks users who are behaving badly. This not only makes it much more difficult for hackers to run automated attacks, but it also makes it harder for them to gather the information they need to mount a targeted attack built specifically for your system.

If you're interested in learning more, please contact me to get started today!