[HN Gopher] Rapidly Build SaaS apps on ASP.NET/ServiceStack base...
___________________________________________________________________
Rapidly Build SaaS apps on ASP.NET/ServiceStack based on zero-trust
security
Author : kumaranv
Score : 25 points
Date : 2021-04-06 17:48 UTC (5 hours ago)
(HTM) web link (aspsecuritykit.net)
(TXT) w3m dump (aspsecuritykit.net)
| abgr-y wrote:
| How's your ADA different from say, ASP.NET policy authorization?
| What's the real benefit here?
| TriNetra wrote:
| Glad you asked! I'd incurrage to go through this [0] guide, or
| watch [1] video. But briefly: ASP.NET Core policy authorization
| works on full trust mode when it comes to the data sent by the
| callers. This means unless you write code to authorize access
| to resources, users will have access to everything. And to
| authorize a single resource mentioned in an API operation, you
| have to write lot of code including a requirement definition,
| an authorization handler, and invocation of the
| authorizationService from the action body. Just imagine doing
| this for multiple resources in an operation and doing it for
| hundreds of API operations. All this is hard-coded which is
| vulnerable to omission and manual mistakes, not to mention the
| time you spend on writing/maintaining such code.
|
| On the other hand, ASPSecurityKit works on zero-trust
| principle, which means by default users have access to nothing,
| and gain access to only those resources you explicitly grant.
| The best part is that you don't have to write any code for this
| protection in most cases; your code remains crisp and clean
| throughout.
|
| 0: https://aspsecuritykit.net/guides/aspnet-policy-
| authorizatio...
|
| 1: https://youtu.be/t-3bhDKJvlY
| lukevp wrote:
| Agreed that open by default is bad once you start building
| APIs, but it's pretty easy to register a default policy to
| require authorization and override it with AllowAnonymous or
| other policies as required.
| martinald wrote:
| Just some feedback, I found the audio in the video explainer hard
| to follow. It sounded sort of weirdly text to speech and/or there
| were grammar mistakes in the original transcript. I'd get a
| professional to rerecord it.
|
| Looks interesting though.
| kr4 wrote:
| What exactly zero-trust mean here?
| TriNetra wrote:
| from [0]:
|
| > The zero-trust security model assumes breach as the default
| phenomenon and therefore, it advocates verifying every request
| with all possible options available to ensure the legitimacy of
| the request. It also emphasizes following the principle of
| least privilege access to limit access to the system for only
| the functions requested even though the elevated privilege
| might be available for the caller.
|
| > Zero-trust and least privilege access are fundemental
| principles to ASPSecurityKit design. Few examples:
|
| > 1. As you apply ASPSecurityKit's ProtectAttribute on the base
| controller (or the base service in ServiceStack) or as a global
| filter, it instantly begins guarding all operations of your web
| application with a multi-stage security pipeline that involves,
| among other things, XSS validation, authentication, multi-
| factor, authorization. All these checks are necessary unless
| you disable one or more for specific operations.
|
| > 2. Following the same principles, activity-based, data-aware
| authorization components enforce that to execute an operation,
| the caller must possess its corresponding permissionCode, and
| any existing data being referred for the operation must also
| have been permitted. You can selectively exclude operations and
| data from these checks, but the default is to guard everything.
| The user verification, user suspension and entity suspension
| checks are designed to block every incoming requests if the
| corresponding check fails, and give you tools and control to
| explicitly exclude certain operations (of your choice) from the
| check.
|
| ...
|
| https://aspsecuritykit.net/docs/article/introduction/#zero-t...
| fm200 wrote:
| I have to say it, but asp.net and microsoft in general fits very
| well into my idea of zero-trust per se.
|
| Jokes aside, i dont know that much how is it today, but years ago
| i had to run some asp.net apps in production, it was a
| nightmare...
| gregmac wrote:
| There's good and bad apps, like most platforms, and it is
| comparable to PHP from that perspective. Having worked
| extensively in both, I'd say the general problem with PHP is
| it's really easy for a beginner to get started, and just easy
| to grow a small, simple app into a large, functional-but-awful
| monstrosity.
|
| ASP.NET is really just a foundation layer for a whole bunch of
| different web frameworks including WebAPI, MVC, RazorPages,
| Blazor, WCF and WebForms. I'd blame WebForms in particular for
| a lot of the bad apps: it basically tries to make the web act
| like stateful Windows Forms apps (literally with controls that
| have "server-side events" and maintain state across several
| HTTP requests). As a result, lots of Windows Forms developers
| could build apps without actually understanding a lot of the
| complexity of the web and especially its security implications.
| TriNetra wrote:
| Not sure what was the particular issue you faced, but ASP.NET
| Core has come a long way - you can run .NET Core apps on Linux
| as well, not to mention the whole thing is open source under
| DotNet Foundation [0].
|
| 0: https://dotnetfoundation.org/
| sbehlasp wrote:
| Is the source code for ASPSecurityKit available for review?
| Generally enterprises prefer that when it comes to using a
| security component in a critical production system.
| TriNetra wrote:
| Yes, under business/enterprise plan [0], you'll get access
| to the complete source code on our private GitHub
| repository.
|
| 0: https://ASPSecurityKit.net/pricing/#enterprise
| 1cvmask wrote:
| How can one add a mfa solution like saas pass to this? Or do you
| add it?
___________________________________________________________________
(page generated 2021-04-06 23:00 UTC)