Exam 70-519: Pro: Designing and Developing Web Applications Using Microsoft .NET Framework 4, Часть 4: Designing Security Architecture and Implementation

Проектирование и внедрение архитектуры безопасности

>> В начало

Требования к знаниям:

• Plan for operational security.
  This objective may include but is not limited to: approaches for process- and resource-level security, including local and remote resources, Code Access Security (CAS), including trust level, process identity, application pool, and identity tag
• Design an authentication and authorization model.
  This objective may include but is not limited to: authentication providers, including WindowsForms, and custom user identity flowthrough (for example, trusted subsystem), role management, membership providers, URL authorization (for example, AuthorizationAttribute), file authorization, Authorization Manager (AzMan)
• Plan for minimizing attack surfaces.
  This objective may include but is not limited to: input validation, throttling inputs, request filtering, where to use Secure Sockets Layer (SSL)

Ссылки

• Plan for operational security.
  P&P: ASP.NET 2.0 Security Guidance Index (EN)
  P&P: Web Application Security Frame (EN)
  P&P: Building Secure ASP.NET Applications (EN)
  Approaches for process- and resource-level security, including local and remote resources
  View State Security (MSDN Magazine/EN)
  Code Access Security (CAS), including trust level, process identity, application pool, and identity tag
• Design an authentication and authorization model.
  Authentication providers, including WindowsForms, and custom user identity flowthrough (for example, trusted subsystem)
  Пассивная аутентификация для ASP.NET с применением WIF (MSDN Magazine/RU)
  Role management
  Membership providers
  Авторизация в ASP.NET
  URL authorization (for example, AuthorizationAttribute)
  File authorization
  Authorization Manager (AzMan)
• Plan for minimizing attack surfaces.
  Input validation
  Проверка модели и метаданные в ASP.NET MVC 2 (MSDN Magazine/RU)
  Throttling inputs
  Request filtering
  Проверка строк запросов ASP.NET (MSDN Magazine/RU)
  Where to use Secure Sockets Layer (SSL)

Video:
Безопасность в ASP.NET
HowTo: Как сделать веб сервис с шифрованием трафика, или шифрование трафика в WCF на транспортном уровне (basichttpbinding + SSL)
WCF Security. Часть 1 (аутентификация)
WCF Security. Часть 2 (авторизация)
WCF Security. Часть 2 (делегирование)
Ключевые аспекты безопасности при предоставлении доступа к данным через ADO.NET Data Services