ASP.NET Security Consultant

I'm an author, speaker, and generally a the-way-we've-always-done-it-sucks security guy who specializes in web technologies and ASP.NET.

I'm a bit of a health nut too, having lost 50 pounds in 2019 and 2020. Check out my blog for weight loss tips!


Advanced ASP.NET Security

ASP.NET Core is a relatively secure framework that is relatively secure by default. If you use Entity Framework and don't do anything crazy in the UI, you're protected from most of the most obvious attacks.

The problem is that there are far too many places in the framework where Microsoft seemed to say "eh, good enough" when it came to security. Want to know what I mean? Here are a few examples:

  • Session tokens never expire on the server — so even if you log out, an attacker can still reuse your authentication token.
  • CSRF tokens are tied to a user, but never expire. If an attacker has your tokens, they can use them in CSRF attacks against you. Forever.
  • Very few of the truly latest and greatest cryptography algorithms are available in the framework. You need to load third-party libraries to use the latest and greatest.
  • The default login form is pathetically weak protecting against brute force attacks.
  • And don't even get me started about how bad the new logging framework is for security.

In this book, I show you how a security person looks at security. I don't just give you Microsoft's content in book form — I show you how to attack ASP.NET websites using tools your penetration tester would. Then maybe, just maybe, you have a shot at being truly secure.