Application Security as a Priority
From Infrastructure to Software: Security Strategies of the .NET User Group Bern
Meetup .NET User Group Bern
The experts of our Security Guild present three strategies at a meetup of the .NET User Group Bern. Focusing on application security, the three deep dive sessions explore the advantages and possibilities of AAD, the BFF Pattern, and the secure use of Terraform in GitHub actions. The focus was on how these strategies can help secure business applications.
Azure Active Directory
Quick Start with Azure Active Directory
Azure Active Directory (AAD) is a reliable identity provider (IDP) for .NET applications with high security standards and attractive features. In a live demo, our experts showcased how connecting AAD to a new Blazor application is possible within minutes thanks to seamless integration in Visual Studio. In addition to authentication, the authorization and role management of the application is delegated to AAD in a simple and secure manner. In addition, multi-tenant solutions can be created and operated efficiently and cost-effectively using practical tricks.
AAD offers extensive security features such as single sign-on, multi-factor authentication and support for various authentication methods. Using an external IDP simplifies management, reduces costs, and reduces the amount of sensitive data managed by your application.
Backend-for-Frontend (BFF) with Development Proxy for React + ASP.NET Core
The Backend-for-Frontend (BFF) pattern is an approach to software development that aims to improve efficiency and flexibility when providing backend services to different frontend applications. The BFF Pattern is based on the principle that each frontend benefits from having its own dedicated backend interface to best meet its specific requirements.
The BFF pattern can also increase the security of the application by implementing authorization mechanisms specifically for one frontend that only the required data is transferred to the frontend. Furthermore, in many cases, the management of IDP tokens can be moved from the frontend to the BFF. This provides better protection for the tokens.
Our experts present a reference implementation of the BFF pattern for React + ASP.NET Core and show how it additionally improves development workflow and security by processing requests to the (in this case Vite-based) development server through the BFF via proxy. This allows security headers to be generated dynamically with nonces, and the browser security mechanisms behave identically during development and in production environments. This consolidates security as a critical aspect of developing the software and reduces errors that only become visible on staging or production environments due to their stricter configurations.
Manage Azure Resources with Terraform from GitHub Actions
Back to infrastructure: Modern solutions use Infrastructure as Code (IaC) to create and maintain cloud resources reliably and automatically. Often, cloud resources are created or adapted via IaC as part of the CI/CD process. To ensure that this process is carried out securely and yet no manual steps are required, a number of aspects must be taken into account. Our experts use an example application to explain how the process can look for an open source application with GitHub, Terraform, and Azure.
The OIDC Trust between GitHub and Azure presents itself as the core element of the security concept. This allows jobs in GitHub Actions workflows to securely access the corresponding Azure resources according to the least privilege principle, without the need for secrets anywhere in the IaC configuration code. The solution also completely separates the environments from each other, thus reducing the risk of errors.
Lastly, our experts present various ways in which GitHub can prevent vulnerabilities in source code from going unnoticed using CodeQL and easy integration of third-party static code analysis tools. This is especially important for Terraform code, which should not contain secrets under any circumstances.
Security and Efficiency combined: Azure Active Directory, BFF, and IaC for your Applications
This reduces the risk of an incident and protects your reputation and the trust of your customers. Additionally, with these tools you can increase the efficiency of the development team and save costs. Would you like to learn more or discuss a customized security solution for your application? Contact me.
You want to learn more? Get in touch with me.
Team Lead Developers
MSc in Computer Science