[HN Gopher] Rapidly Build SaaS apps on ASP.NET/ServiceStack base... ___________________________________________________________________ Rapidly Build SaaS apps on ASP.NET/ServiceStack based on zero-trust security Author : kumaranv Score : 25 points Date : 2021-04-06 17:48 UTC (5 hours ago) (HTM) web link (aspsecuritykit.net) (TXT) w3m dump (aspsecuritykit.net) | abgr-y wrote: | How's your ADA different from say, ASP.NET policy authorization? | What's the real benefit here? | TriNetra wrote: | Glad you asked! I'd incurrage to go through this [0] guide, or | watch [1] video. But briefly: ASP.NET Core policy authorization | works on full trust mode when it comes to the data sent by the | callers. This means unless you write code to authorize access | to resources, users will have access to everything. And to | authorize a single resource mentioned in an API operation, you | have to write lot of code including a requirement definition, | an authorization handler, and invocation of the | authorizationService from the action body. Just imagine doing | this for multiple resources in an operation and doing it for | hundreds of API operations. All this is hard-coded which is | vulnerable to omission and manual mistakes, not to mention the | time you spend on writing/maintaining such code. | | On the other hand, ASPSecurityKit works on zero-trust | principle, which means by default users have access to nothing, | and gain access to only those resources you explicitly grant. | The best part is that you don't have to write any code for this | protection in most cases; your code remains crisp and clean | throughout. | | 0: https://aspsecuritykit.net/guides/aspnet-policy- | authorizatio... | | 1: https://youtu.be/t-3bhDKJvlY | lukevp wrote: | Agreed that open by default is bad once you start building | APIs, but it's pretty easy to register a default policy to | require authorization and override it with AllowAnonymous or | other policies as required. | martinald wrote: | Just some feedback, I found the audio in the video explainer hard | to follow. It sounded sort of weirdly text to speech and/or there | were grammar mistakes in the original transcript. I'd get a | professional to rerecord it. | | Looks interesting though. | kr4 wrote: | What exactly zero-trust mean here? | TriNetra wrote: | from [0]: | | > The zero-trust security model assumes breach as the default | phenomenon and therefore, it advocates verifying every request | with all possible options available to ensure the legitimacy of | the request. It also emphasizes following the principle of | least privilege access to limit access to the system for only | the functions requested even though the elevated privilege | might be available for the caller. | | > Zero-trust and least privilege access are fundemental | principles to ASPSecurityKit design. Few examples: | | > 1. As you apply ASPSecurityKit's ProtectAttribute on the base | controller (or the base service in ServiceStack) or as a global | filter, it instantly begins guarding all operations of your web | application with a multi-stage security pipeline that involves, | among other things, XSS validation, authentication, multi- | factor, authorization. All these checks are necessary unless | you disable one or more for specific operations. | | > 2. Following the same principles, activity-based, data-aware | authorization components enforce that to execute an operation, | the caller must possess its corresponding permissionCode, and | any existing data being referred for the operation must also | have been permitted. You can selectively exclude operations and | data from these checks, but the default is to guard everything. | The user verification, user suspension and entity suspension | checks are designed to block every incoming requests if the | corresponding check fails, and give you tools and control to | explicitly exclude certain operations (of your choice) from the | check. | | ... | | https://aspsecuritykit.net/docs/article/introduction/#zero-t... | fm200 wrote: | I have to say it, but asp.net and microsoft in general fits very | well into my idea of zero-trust per se. | | Jokes aside, i dont know that much how is it today, but years ago | i had to run some asp.net apps in production, it was a | nightmare... | gregmac wrote: | There's good and bad apps, like most platforms, and it is | comparable to PHP from that perspective. Having worked | extensively in both, I'd say the general problem with PHP is | it's really easy for a beginner to get started, and just easy | to grow a small, simple app into a large, functional-but-awful | monstrosity. | | ASP.NET is really just a foundation layer for a whole bunch of | different web frameworks including WebAPI, MVC, RazorPages, | Blazor, WCF and WebForms. I'd blame WebForms in particular for | a lot of the bad apps: it basically tries to make the web act | like stateful Windows Forms apps (literally with controls that | have "server-side events" and maintain state across several | HTTP requests). As a result, lots of Windows Forms developers | could build apps without actually understanding a lot of the | complexity of the web and especially its security implications. | TriNetra wrote: | Not sure what was the particular issue you faced, but ASP.NET | Core has come a long way - you can run .NET Core apps on Linux | as well, not to mention the whole thing is open source under | DotNet Foundation [0]. | | 0: https://dotnetfoundation.org/ | sbehlasp wrote: | Is the source code for ASPSecurityKit available for review? | Generally enterprises prefer that when it comes to using a | security component in a critical production system. | TriNetra wrote: | Yes, under business/enterprise plan [0], you'll get access | to the complete source code on our private GitHub | repository. | | 0: https://ASPSecurityKit.net/pricing/#enterprise | 1cvmask wrote: | How can one add a mfa solution like saas pass to this? Or do you | add it? ___________________________________________________________________ (page generated 2021-04-06 23:00 UTC)