Building multi-tenant sites are a great way to minimize the amount of duplicate code you need to write. This course teaches you how to secure your multi-tenant ASP.NET websites, and how to limit threats to your multi-tenant code.
All website developers need to understand the basics of securing the sites they work on. Multi-tenant sites are no different. In this course, Securing Multi-tenant ASP.NET Web Apps, you'll learn the skills to add the extra security layers necessary to secure and defend your sites from outside threats. First, you'll gain a better understanding of how ASP.NET Identity works to authenticate users to your site, and learn the customizations to handle multi-tenancy. Next, you'll explore specifically how to protect your ASP.NET MVC views that support static pages, and your WebAPI REST services that support single page apps. Finally, you'll discover how to implement JSON Web Tokens and Two Factor Authentication in your site. When you're finished with this course, you'll have the tools and knowledge to make the best decisions on how to implement multi-tenant security on your ASP.NET website.
Course Overview Hi, my name is Peter Kellner, and welcome to my course, Securing Multi-tenant ASP. NET Apps. I'm a software engineer at 73rd Street Associates and a 10-year Microsoft MVP. Building multi-tenant websites are an awesome way to minimize the amount of duplicate code you need to write to build multiple similar sites. This course builds, but doesn't not require the previous course I did here at Pluralsight on Building Multi-tenant ASP. NET Apps. Security is so important these days that this topic deserves its own course, which is what this is. In this course, expect to learn all about how to secure an ASP. NET website through the lens of building for multi-tenancy. That is, the security requirements are basically the same for a single tenant, but the added wrinkle of multi-tenancy makes things a little more interesting. Some of the major topics that we will cover include extending ASP. NET identity to handle multi-tenancy, using ASP. NET MVC and WebAPI to secure incoming requests, learning the top security threats as seen by OWASP, a leader in security, and how to mitigate those threats, and finally you'll learn how to implement the all-important two-factor auth using the Twilio API. By the end of this course, you will have both a deep understanding of what it takes to secure a multi-tenant ASP. NET web app, as well as having a great handle on the tools and techniques necessary to build security into your own web app. Join me and learn all about securing multi-tenant web apps. Multi-tenancy has been a life-long study for me, and I'm looking forward to sharing with you much of what I've learned, and specifically sharing the security aspects of multi-tenancy in this course.
Updating ASP.NET Identity to Handle Multi-tenancy To keep things in perspective, let's take a look again at our metaphor for a multi-tenant app, that is our house. The windows represent our tenants, and the doors, how to get into our house, or into our website in this case. The door without the lock represents an unauthenticated unsecured user coming in. The door with the lock represents users who are authenticated, and as we'll see in this module, are authenticated through the ASP. NET Identity Framework. We're going to start out by basically having a history lesson of what Microsoft has done with ASP. NET over the years, first starting with the Membership provider model, and then finally working through to the ASP. NET Identity, and talk a little bit about the decisions Microsoft made and why as they move forward. We could've used a number of different ways to secure our ASP. NET app, we didn't have to use ASP. NET Identity, we could've stored the cookies ourselves, we could've created the tokens, we could've passed them back and forth, but ASP. NET identity does all that for us. So essentially, we're going to leverage all the work the ASP. NET team has done for us, and we're going to use ASP. NET Identity to solve our multi-tenant problem. Before we can make ASP. NET Identity multi-tenant, we need to pretty much understand what's in ASP. NET Identity. Specially, we're going to talk about how Microsoft has implemented ASP. NET identity in a Visual Studio project, and then finally we're going to go through all the details necessary to add multi-tenancy to Microsoft's ASP. NET Identity implementation in a Visual Studio project.
Mitigating Top Security Threats It's hard to know what threats your web app might face in production. There are literally thousands of attack vectors that you might find your web app facing. As web developers, we need to plan on where to focus our energies in going after these attacks. Continuing with our house analogy for protecting our websites, we will cover several of our major locks here. Specifically, we will look at an XSS attack as a standard lock on our door, we will look at CSRF attacks as a barrel lock on our door, and SQL Injection attacks as a chain lock. We will also look at other vulnerabilities. A very widely-accepted site called OWASP, which stands for Open Web Application Security Project is a great place to start. OWASP publishes periodically a top-10 list of security threats websites should make sure to protect themselves from. Off of the main page is a link to their latest top-10 list. Looking at pages 7 and 8, you can see those 10 broken out. For the rest of this module, I'll talk about each one of these top 10, a and explain the issues. In many cases, I'll show code that demonstrates these vulnerabilities. This is by no means an exhaustive discussion of each of these, just a brief mention of one or two cases that apply in ASP. NET. Some of these cases are relevant to multi-tenant apps, some are relevant to all apps, of course including multi-tenant ones.