Automatic security updates for Microsoft NuGet packages?

I just tried to answer the question “How to ensure that my ASP.NET MVC 5 web app gets updated automatically when a severe security issue is found in a NuGet dependency”.

The best resources I have found on this topic:

Summary

  • Windows Update will update NuGet packages only for targeted security updates
  • Supported .NET version: 4.5.1. or newer
  • MS .NET NuGet packages treated as part of the .NET framework
  • Security update notifications are posted to .NET blog. Subscribe!
  • Microsoft Update records loaded MS assemblies on a machine to identify candidates for patching.
  • Apps using a vulnerable NuGet package will get served the patched Assembly via GAC Publisher Policy.

Conclusions

I am now more confident that using NuGet packages I get critical updates for my applications when needed when Windows Update is used.

But: I would like to see a more recent document about the treatment of Security issues in NuGet. (Pease leave a comment if you have something and I will update the post). And I would like to know why the NuGet package feed list is empty.

Cloud diary tutorial part 1- Get started with ASP.NET MVC, user authentication and the cloud

A video tutorial based on my learnings of ASP.NET MVC 5, ASP.NET Identity, SQL Server and Azure.

Summary: I will show you how to create a very simple web application with user authentication. Users can register, log in, create diary entries (text) and visualize their entries.

In part one we will create, test and refactor the application locally on our computer. Although the app is very simple we will touch a lot of different technologies. You will also see some issues you may experience when starting with ASP.NET MVC in Visual Studio and how to fix them.

In part two we will publish our app to the cloud (Azure). Please subscribe to get notified when part two is finished.

Technology stack

Visual Studio 2017 (Community Edition)
ASP.NET MVC 5
ASP.NET Identity
C#
Git
Entity Framework 6 with Code-First
LINQ to Entities
Azure App Service
Azure SQL Database

Prerequisites

Visual Studio 2017 with the following workloads:

  • ASP.NET and web development
  • Azure development

Content

00 – Introduction

01 – Create ASP.NET MVC 5 application from template

  • Create a new ASP.NET MVC 5 application with ASP.NET Identity
  • Configure authentication (Individual user accounts) for new project
  • Project folders overview
  • Local database folder: App_Data
  • Register user and log into our new application
  • Use “Server Explorer” to show data from local database

02 – Remove unneeded content from application

  • Change title and footer of application
  • Basic HTML tags (title, footer, h1, h2, footer, div)
  • Remove a View and Action Method
  • Commit to source control (local GIT repository)

03 – Create new Controller and View

  • Create a new ASP MVC Controller
  • Create a new ASP MVC View
  • User authentication and security
  • Use of the [Authorize] and [AllowAnonymous] attributes
  • Configure authorization/authentication by default with global filter
  • Refactor our app to use global filter instead of [Authorize] attribute

04 – Display list of fake entries in View

  • Create a model class for diary entry
  • Usage of “prop” code snippet.
  • Create fake data in Controller
  • Display list in View
  • Use of the “ViewBag”
  • Create an HTML table in code

05 – Add form for adding new diary entries

  • Create a Html form using ASP.NET Identity code as template
  • Razor syntax
  • MVC Form @model directive
  • Create a ViewModel for form-data with data validation attributes
  • Use of [Required], [DisplayName] and [StringLength] attributes

06 – Implement Action Method on Controller to handle the form data from HttpPost request

  • Add HttpPost Action method to Controller
  • [HttpPost] and [ValidateAntiForgeryToken] attributes
  • Test Action Method

07 – Store diary entries in database

  • ASP.NET Identity ApplicationUser and ApplicationDbContext overview
  • ASP.NET Identity tables
  • Extend DiaryEntry model class for usage in DbContext
  • Create foreign key property and navigation properties (Entity Framework)
  • Add new DiaryEntry table to DbContext
  • Create new model class from viewmodel
  • Use Entity Framework to insert into DiaryEntries table
  • Show result of data-model change: “Server Error in Application. The model backing the ‘ApplicationDbContext” context has changed since the database was created. Consider using Code First Migrations to update the database”

08 – Enable EF Migrations

  • Add Code First Migrations to update the database
  • Delete SQLServer LocalDB database from App_Data folder
  • Enable, create and apply migrations with Package Manager (“enable-migrations”, “add-migration”, “update-database”)
  • Test adding a new diary entry to the database using our form.

09 – Retrieve data

  • Query database with LINQ to entities query
  • Redirect to GET ActionMethod after the POST with “RedirectToAction”

10 – UX improvement – Login button on homepage

  • Identify user experience issues
  • Use source control (GIT) to access code from a previous version
  • Improve navigation by adding Login-Button on homepage

11 – UX improvement – Move diary to homepage

  • Refactor Controllers and Views to merge homepage and diary page

Part 2 (Publish our app to the cloud) still in the works. Please subscribe to my YouTube channel and blog to get notified when it’s ready!

Credits: Big thanks to John Sonmez from SimpleProgrammer. His “10 Steps to learn Anything” course not only helped me to organize my learning but also motivated me to create this tutorial!

ASP.NET MVC Identity whitelisting vs blacklisting – Don’t trust yourself

Just imagine 2 different scenarios in a ASP.NET MVC app using ASP.NET Identity. In both cases you have an application that requires the user to be logged in.

Scenario 1: Blacklisting

Your authentication-default is “allow anonymous”, which is the default of the ASP.NET MVC 5 template. You create a new Action Method on a controller and forget to add the [authorize] attribute.

Resulting Issue: You have a potential security hole in your application that may remain undetected and possibly exploited.

Scenario 2: Whitelisting

Your global authentication-default is “requires authentication”. You create a new action method on a controller that should be accessible without authentication and forget to add the [AllowAnonymous] attribute.

Resulting issue: You try your application, can’t enter that new page and fix it. In the worst case you didn’t do your homework and a customer/user finds the bug and complains to you.

Which issue would you rather have to deal with?

I personally prefer the whitelisting approach and err on the side of caution.

See also: Enable global authentication with ASP.NET MVC and Identity

 

How I started blogging

Have you been thinking of starting a blog? Then you probably know that it can look like a huge and frightening task…

I have thought about starting one several times in the past.

I then asked myself a lot of questions and got overwhelmed by the answers I found by myself or using google:

  • How to name my blog?
  • Which blogging platform to use?
  • As a IT professional, should I install and setup my baby manually?
  • What to blog about?
  • What language to blog in (with German, English and Spanish to choose from in my case)?
  • Do I have anything to add to the internet? So much stuff already out there….
  • Who am I, to <fill in the blank>?

If you have an introvert tendency like me all these unknowns can give you the excuses you need to NOT get started at all.

Luckily I stumbled over John Sonmez SimpleProgrammer-website and Youtube-channel. After consuming a lot of his free content he is putting out there I finally tried his blog-course and I am glad I did! He managed to simplify the task at hand and use his psychology skills to destroy all your excuses one after another so you can’t help but get that thing up and running!

The fact that you are reading this is the proof! 🙂

Enable global authentication with ASP.NET MVC and Identity

To require user authentication for all action methods on all controllers please add the AuthorizeAttribute class to the App_Start/FilterConfig.cs file:

public static void RegisterGlobalFilters(GlobalFilterCollection filters) 
{ 
    filters.Add(new AuthorizeAttribute()); 
}

To configure an exception and allow anonymous access to an action method: Decorate it with the AllowAnonymousattribute:

[AllowAnonymous]
public ActionResult Index()
{ 
    // do stuff
}