Security

Because I would be deploying my RAG application along with my website, I decided to secure my embedding and chat endpoints. Yes, it is selfish but I am writing all these first for myself :). To keep things simple and local, I chose to use JWT tokens for authentication. My approach uses in-memory token generation and validation—no external dependencies or persistent storage required. This is a solid starting point, and you can always enhance it later as your needs grow. ...

Message Envelopes in Message-Based Software Development In message-based software development, message envelopes are a design pattern used to wrap the core message with additional metadata. This metadata helps the messaging system process, route, or interpret the message without needing to understand its actual content. Key Features of Message Envelopes Header and Body Separation: The header contains metadata like routing information, encryption details, or timestamps. The body holds the actual message payload. Flexibility: ...

Securing Your ASP.NET Core Web App: OWASP Top Ten Mitigations Building secure APIs and applications is crucial in today’s interconnected world. This post dives into the OWASP Top Ten vulnerabilities and how you can mitigate them in your ASP.NET Core Web API or application. 1. Injection (A01) Mitigation: Always use parameterized queries or ORM frameworks like Entity Framework. Explanation: Prevent untrusted data from being executed as code by treating it as data. Example: // BAD: vulnerable to SQL injection string sql = $"SELECT * FROM Users WHERE Name = '{userInput}'"; // GOOD: parameterized query string sql = "SELECT * FROM Users WHERE Name = @name"; command.Parameters.AddWithValue("@name", userInput); What can happen: An attacker could inject SQL to exfiltrate or delete sensitive data. 2. Broken Authentication (A02) Mitigation: Use ASP.NET Core Identity with robust password policies and MFA. Example: services.AddIdentity<ApplicationUser, IdentityRole>(options => { options.Password.RequiredLength = 8; options.Password.RequireNonAlphanumeric = true; }); What can happen: Attackers may gain unauthorized access and impersonate users. 3. Sensitive Data Exposure (A03) Mitigation: Use HTTPS and encrypt sensitive data at rest with ASP.NET Core Data Protection. Example: services.AddDataProtection().ProtectKeysWithDpapi(); app.UseHttpsRedirection(); What can happen: Sensitive information could be intercepted by attackers. 4. XML External Entities (XXE) (A04) Mitigation: Disable DTD processing in XML parsers. Example: var settings = new XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit }; What can happen: Attackers could exploit XXE to extract data or execute malicious actions. 5. Broken Access Control (A05) Mitigation: Use role-based access control. Example: [Authorize(Roles = "Admin")] public IActionResult AdminOnly() => View(); What can happen: Unauthorized users could access restricted resources. 6. Security Misconfiguration (A06) Mitigation: Use secure headers and disable unnecessary features. Example: services.AddHsts(options => { options.Preload = true; options.IncludeSubDomains = true; }); What can happen: Misconfigurations could lead to unauthorized access or system compromise. 7. Cross-Site Scripting (XSS) (A07) Mitigation: Sanitize user input with built-in libraries. Example: @Html.Encode(Model.UserInput) What can happen: Attackers could inject malicious scripts into your application. 8. Insecure Deserialization (A08) Mitigation: Avoid deserializing untrusted data. Example: var settings = new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.None }; What can happen: Attackers may inject malicious payloads to execute arbitrary code. 9. Using Components with Known Vulnerabilities (A09) Mitigation: Regularly update dependencies and monitor vulnerabilities. Example: dotnet list package --outdated What can happen: Exploitable vulnerabilities in third-party components could compromise your application. 10. Insufficient Logging & Monitoring (A10) Mitigation: Implement robust logging and monitoring. Example: services.AddApplicationInsightsTelemetry(Configuration["InstrumentationKey"]); Log.Logger = new LoggerConfiguration().WriteTo.Console().CreateLogger(); What can happen: Without logs, attacks may go unnoticed, leading to prolonged damage. Conclusion By following these mitigation strategies, you can significantly improve the security posture of your ASP.NET Core Web API. For more resources, check out the OWASP DotNet Security Cheat Sheet. ...

I started studying for AI-102 AI Engineer Associate certification. I am adding the subjects that I am falling short on this blog to improve my knowledge now. First of the series is networking… :) Securing and setting up the network for Azure AI services involves several key steps to ensure that your resources are protected and accessible only to authorized users. Here’s a comprehensive guide: Step 1: Configure Virtual Networks Create a Virtual Network: In the Azure portal, create a virtual network (VNet) that will host your Azure AI services. Add Subnets: Define subnets within your VNet to segment your network and improve security. Step 2: Set Up Private Endpoints Create Private Endpoints: Use private endpoints to connect your Azure AI services to your VNet securely. This ensures that traffic between your VNet and Azure AI services remains within the Azure backbone network. Configure DNS: Update your DNS settings to resolve the private endpoint IP addresses. Step 3: Configure Network Security Groups (NSGs) Create NSGs: Apply NSGs to your subnets to control inbound and outbound traffic. Define rules to allow traffic only from trusted sources. Apply NSGs: Attach the NSGs to your subnets and network interfaces. Step 4: Enable Firewall Rules Deny All by Default: Configure your Azure AI services to deny all incoming traffic by default. Allow Specific Networks: Create rules to allow traffic from specific VNets, subnets, or IP address ranges. Step 5: Use Service Tags and Application Security Groups Service Tags: Use Azure service tags to simplify the management of NSG rules. Service tags represent a group of IP address prefixes for specific Azure services. Application Security Groups: Group VMs and define security policies based on application tiers. Step 6: Monitor and Audit Enable Monitoring: Use Azure Monitor to track the performance and health of your Azure AI services. Audit Logs: Enable and review audit logs to track access and changes to your resources. Example Configuration Here’s an example of how you might configure your network-security-group.yml for NSGs: ...

Below is an example of a Network Diagram that depicts a possible topology for our reservation system, illustrating firewalls, routers, subnets, and connections. It is designed to enhance network security and efficiency. graph TB %% Internet Internet[Internet] --> Firewall1[Firewall] %% Perimeter Network -DMZ subgraph DMZ[Perimeter Network -DMZ-] Router[Router] APIGateway[API Gateway] end Firewall1 --> Router Router --> APIGateway %% Internal Network subgraph InternalNetwork[Internal Network] LoadBalancer[Load Balancer] ApplicationServer1[App Server 1] ApplicationServer2[App Server 2] DatabaseServer[Database Server] EventBus[Wolverine Event Bus] end APIGateway --> LoadBalancer LoadBalancer --> ApplicationServer1 LoadBalancer --> ApplicationServer2 ApplicationServer1 --> DatabaseServer ApplicationServer2 --> DatabaseServer ApplicationServer1 --> EventBus ApplicationServer2 --> EventBus %% External Services subgraph ExternalServices[External Services] NotificationService[Notification Service] PaymentGateway[Payment Gateway] end EventBus --> NotificationService EventBus --> PaymentGateway Components Breakdown: Internet: ...