End-to-End Secure Web Development with .NET Aspire, JavaScript Frameworks, and DevSecOps

In this session, we look at the critical techniques for securing web applications, leveraging the power of .NET and modern JavaScript frameworks. Attendees will gain insights into implementing robust authentication and authorization mechanisms, adhering to industry standards such as OAuth and OpenID Connect. Additionally, we will explore strategies for session protection, emphasizing a zero-trust approach to ensure comprehensive security and DevOps SAST using Sonar. Join us to learn best practices and practical solutions for safeguarding your web applications against evolving threats.

Integrating E-ID (swiyu) using ASPNET Core and Aspire

In this session, we look at integrating the Swiss E-ID (swiyu) into an ASP.NET Core web application and Aspire. The E-ID can be used for identity validation, basic authentication or onboarding new users into solutions. This talk gives a technical overview of what can be done with the E-ID and how to use this in your solutions.

Securing .NET Core, ASP.NET Core applications

This talk gives an overview of authentication and authorization in .NET Core and 
ASP.NET Core applications. Some of the different approaches when implementing these in SPAs, 
ASP.NET Core UI or APIs, Cloud solutions will be explained as well as the different OpenID Connect, 
OAuth flows which should be used or can be used for these types of solutions now and in the future.
The second part of this talk will be a general introduction about implementing 
Self Sovereign Identity in ASP.NET Core

.NETworking Workshop ASP.NET Core 3.0 Security

This workshop shows how authentication, authorization and security requirements can be implemented using ASP.NET Core 3.0. Some of the different approaches when implementing these in SPAs, or ASP.NET Core Razor/MVC will be explained as well as the different OpenID Connect/OAuth flows which should be used or can be used for these types of solutions.

Agenda

• 8:30 - 9:00 Welcome Coffee
• 9:00 - 10:30 Intro  
  •  Security requirements ASP.NET Core Framework Security features  
  • Claims, Principals, Identities, Claims based Identity
  • Cookie Authentication
  • Data Protection
  • Authorization
  • External Authentication Providers
  • User Secrets Exercise:
  • Cookie based authentication Identity ASP.NET Core Razor Pages application, EF Core SQLite DB, User secrets
• 10:30 - 11:00 Coffee break Tapis Rouge
• 11:00 - 12:30 OpenID Connect, OAuth2 flows
  • OAuth2 Resource Owner Credentials Flow
  • OpenID Connect Code flow
  • OpenID Connect Hybrid flow
  • OpenID Connect PKCE Authorization Code Flow RFC 7636
  • OAuth Device Flow Exercise
  • IdentityServer4 secure token service with an ASP.NET Core OpenID Connect Hybrid flow client
• 12:30 - 14:00 Lunch
• 14:00 - 15:30 API Authorization
  •  APIs with tokens authorization
  • APIs with cookies authorization
  • Introspection
  • Public, protected APIs Exercise
  • Client/API with JWT Bearer token authorization Authorization policies, claims
  • Policies
  • Handlers
  • Requirements
  • Custom authorization Exercise
  • Implementing authorization using claims, policies, handlers
• 15:30 - 16:00 Coffee break
• 16:00 - 17:30 Protecting the session, client
  • Click jacking
  • XSS
  • CSRF
  • CSP
  • HSTS
  • Cookie protection Exercise
  • Add security fixes to an existing ASP.NET Core application
• 17:30 Retrospective

Workshop Requirements

PC with .NET Core 3 SDK and Visual Studio 2019/Visual Studio Code installed. - Internet WLAN connection

Application Security in ASP.NET Core

This talk shows how authentication and authorization can be implemented for ASP.NET Core applications. Some of the different approaches when implementing these in SPAs, or ASP.NET Core MVC will be explained as well as the different OpenID Connect flows which should be used or can be used for these types of solutions.