Martin Costello's Blog

Levelling Up Security with the GitHub Secure Open Source Fund

Mon, 11 Aug 2025 00:00:00 +0000

After sitting on the secret for the last few months, I’m excited to finally share that back in May I was selected to participate in the second cohort of the GitHub Secure Open Source Fund through my maintenance of Polly. 🎉

The GitHub Secure Open Source Fund is a GitHub-lead initiative aimed at improving the security of open source software at scale by providing funding and resources to maintainers of popular open source projects. Big names in the software industry like 1Password, American Express, Shopify, Stripe, and Vercel help fund this initiative to enhance the security posture of open source software projects across many language ecosystems.

Many open source projects are fundamental building blocks of countless software applications, whether open source or proprietary, and the security of the entire software supply chain can be at risk if security vulnerabilities occur in these community-driven projects. For example, Polly is a dependency of .NET Aspire, which has become quite popular over the last year.

Through my participation in the GitHub Secure Open Source Fund, I gained access to a wealth of valuable resources, including expert guidance from GitHub staff and experts on best practices for securing open source software, as well as funding to help sustain my involvement in the development and maintenance of the many open source projects I contribute to.

Continuous Benchmarks on a Budget

Mon, 23 Sep 2024 00:00:00 +0000

Over the last few months I’ve been doing a bunch of testing with the new OpenAPI support in .NET 9. As part of that testing, I wanted to take a look at how the performance of the new libraries compared to the existing open source libraries for OpenAPI support in .NET, the most popular including NSwag and Swashbuckle.AspNetCore.

It’s fairly easy to get up and running writing some benchmarks using BenchmarkDotNet, but it’s often a task that you need to sit down and do manually when you have the need, and then gets forgotten about as time goes on. Because of that, I thought it would be a fun mini-project to set up some automation to run the benchmarks on a continuous basis so that I could monitor the performance of my open source projects easily going forwards.

In this post I’ll cover how I went about setting up a continuous benchmarking pipeline using GitHub Actions, GitHub Pages and Blazor to run and visualise the results of the benchmarks on a “good enough” basis without needing to spend any money^* on infrastructure.

What's New for OpenAPI with .NET 9

Mon, 09 Sep 2024 00:00:00 +0000

Developers in the .NET ecosystem have been writing APIs with ASP.NET and ASP.NET Core for years, and OpenAPI has been a popular choice for documenting those APIs. OpenAPI at its core is a machine-readable document that describes the endpoints available in an API. It contains information not only about parameters, requests and responses, but also additional metadata such as descriptions of properties, security-related metadata, and more.

These documents can then be consumed by tools such as Swagger UI to provide a user interface for developers to interact with the API quickly and easily, such as when testing. With the recent surge in popularity of AI-based development tools, OpenAPI has become even more important as a way to describe APIs in a way that machines can understand.

For a long time, the two most common libraries to produce API specifications at runtime for ASP.NET Core have been NSwag and Swashbuckle. Both libraries provide functionality that allows developers to generate a rich OpenAPI document(s) for their APIs in either JSON and/or YAML from their existing code. The endpoints can then be augmented in different ways, such as with attributes or custom code, to further enrich the generated document(s) to provide a great Developer Experience for its consumers.

With the upcoming release of ASP.NET Core 9, the ASP.NET team have introduced new functionality for the existing Microsoft.AspNetCore.OpenApi NuGet package, that provides a new way to generate OpenAPI documents for ASP.NET Core Minimal APIs.

In this post, we’ll take a look at the new functionality and compare it to the exsisting NSwag and Swashbuckle libraries to see how it compares in both features as well as performance.

Look ma, no Dockerfile! 🚫🐋 - Publishing containers with the .NET SDK 📦

Thu, 02 May 2024 00:00:00 +0000

Containers have been a thing in the software ecosystem for a few years now, with lots of associated technologies and concepts - Docker, Kubernetes, Helm charts, sidecars and many more. Using containers simplifies the deployment of your application by reducing things down to a single artifact that you can deploy along with all the required dependencies, including the operating system, and everything should Just Work™️. It’s almost like shipping your whole machine off to production!

The cost for that simplicity of deployment is the steeper learning curve for you the developer to understand all these additional concepts and technologies. In addition, you will likely need to revisit how you build your application, creating a Dockerfile to produce a container image that contains everything you need to build and run your application.

The more complicated your build process, the more daunting this becomes - for example, if your application builds client-side assets with a JavaScript toolchain. In that case, you need to install Node.js, npm etc. in the container build image too so you can produce those assets. Things can quickly get complicated, and that’s before you even start thinking about things like layer caching, exposing ports, what user to run as and more. 😮‍💨

What if we could simplify a lot of that complexity and just build our application like we would if we weren’t using containers, but then just turn it into a container image? Well, the .NET 8 SDK allows us to do exactly this, meaning you can containerise your application and not need a Dockerfile at all! 🚫🐋

Plus, as a bonus, if building with GitHub Actions, we can leverage this support to attest the provenance of our container images with minimal additional effort. 🕵️🪪

.NET Native AoT Make AWS Lambda Function Go Brrr

Wed, 29 Nov 2023 00:00:00 +0000

Since 2017 I’ve been maintaining an Alexa skill, London Travel, that provides real-time information about the status of London Underground, London Overground, and the DLR (and the Elizabeth Line). The skill is an AWS Lambda function, originally implemented in Node.js, but since 2019 it has been implemented in .NET.

The skill uses the Alexa Skills SDK for .NET to handle the interactions with Alexa, and since earlier this month has been running on .NET 8.0.0.

I’ve been using a custom runtime for the Lambda function instead of the .NET managed runtime. The main reason for this is that it lets me use any version of .NET, not just the ones that AWS support. This has allowed me to not only use pre-release versions of .NET for testing, but it also enables me to use the latest versions of .NET as soon as they are released. The only disadvantage of this approach is that I have to patch the version of .NET being used once a month for Patch Tuesday, but I have automation set up to do that for me, so the overhead of doing that is actually minimal 😎.

As part of the .NET 8 release, the .NET team has put a lot of effort into improving the breadth of the capability of the native AoT support. With .NET 8, many more use cases are supported for AoT, making the performance and size benefits of AoT available to more applications than before. The .NET team at AWS has also been working hard on ensuring that the various AWS SDK libraries are compatible with AoT, with the various NuGet packages now annotated (and tested) as being AoT compatible.

With all these changes, I was curious to see how much of a difference AoT would make to the performance of my Lambda function, so I decided to try it out. In this post I’ll go through what I needed to change to allow publishing my Alexa skill as a native application, what I learned along the way, and the results of the changes to the function’s runtime performance.

TL;DR: It’s faster, smaller, and cheaper to run. 🚀🔥

Let’s dive in!

Upgrading to .NET 8: Part 6 - The Stable Release

Mon, 20 Nov 2023 00:00:00 +0000

Last week at .NET Conf 2023, the stable release of .NET 8 was released as the latest Long Term Support (LTS) release of the .NET platform.

With the release of .NET 8.0.0 and the end of the preview releases, my past week can be summed up by the following image:

Upgrading to .NET 8: Part 5 - Preview 7 and Release Candidates 1 and 2

Fri, 13 Oct 2023 00:00:00 +0000

This post is a bumper edition, covering three different releases:

I had intended to continue the post-per-preview series originally, but time got away from me with preview 7, plus there wasn’t much to say about it, and then I went on holiday for two weeks just as release candidate 1 landed. Given release candidate 2 was released just a few days ago, instead I figured I’d just catch-up with myself and summarise everything in this one blog post instead!

Release Candidate 2 is also the last planned release before the final release of .NET 8 in November to coincide with .NET Conf 2023, so this is going to be the penultimate post in this series.

Upgrading to .NET 8: Part 4 - Preview 6

Wed, 19 Jul 2023 00:00:00 +0000

Following on from part 3 of this series, I’ve been continuing to upgrade my projects to .NET 8 - this time to preview 6. In this post I’ll cover more experiences with the new source generators with this preview as well as a new feature of C# 12: primary constructors.

Upgrading to .NET 8: Part 3 - Previews 1-5

Wed, 12 Jul 2023 00:00:00 +0000

In the previous post of this series I described how with some GitHub Actions workflows we can reduce the amount of manual work required to test each preview of .NET 8 in our projects. With the infrastructure to do that set up we can now dig into some highlights of the things we found in our testing of .NET 8 itself in the preview releases available so far this year!

Upgrading to .NET 8: Part 2 - Automation is our Friend

Tue, 11 Jul 2023 00:00:00 +0000

In part 1 of this series I recommended that you prepare to upgrade to .NET 8 and suggested that you start off by testing the preview releases. Testing the preview releases is a great way to get a head start on the upgrade process and to identify any issues sooner rather than later, but it does require an investment of your time from preview to preview each month.

Even if you don’t want to test new functionality, you still need to download the new .NET SDK, update all the .NET SDK and NuGet package versions in your projects, and then test that everything still works (that’s already automated at least, right?). This can be a time-consuming process over the course of a new .NET release, and it starts to become harder to scale if you want to test lots of different codebases with the latest preview of the next .NET release.

What if we could automate some of this process so that we only need to focus on the parts where we as humans really add value compared to the mechanical parts of an upgrade?

In part 2 of this series I’m going to explain how I’ve gone about automating the boring parts of the process of testing the latest .NET preview releases using GitHub Actions.

Upgrading to .NET 8: Part 1 - Why Upgrade?

Mon, 10 Jul 2023 00:00:00 +0000

Another year, another new major version of .NET is coming - .NET 8, to be specific.

I write that like it’s brand new information - it’s been coming for a while, what with .NET 8 Preview 1 having being released in Feburary - but it’s only recently occured to me to write this blog post series (yes, a series, more on that later).

As annouced a few releases ago, a new major version of .NET is released every November. These alternate between an odd-numbered Short Term Support (STS) release and an even-numbered Long Term Support (LTS) release (see here).

There’s a nice graphic here from the .NET website that illustrates how things look today:

That means .NET 8 will be the next LTS release and supercede .NET 6 and also .NET 7 by the end of 2024.

But why should you upgrade to .NET 8? Staying supported and patched is the primary reason, but there’s another reason that sounds much more compelling:

“The first thing that you can do to get free performance in your ASP.NET or .NET applications is to upgrade your .NET version.”

Damian Edwards

Improving ASP.NET Core Before It Ships 🚢

Tue, 03 May 2022 00:00:00 +0000

This blog post was originally published by me on the Just Eat Tech blog.

Writing code that millions of people will use is something we do every day. Writing code that millions of developers will use feels a little different.

Have you ever wondered why Microsoft releases preview versions of their products before the final release? Well, it’s so real customers can help ensure their quality before they go live. In this post, we’ll tell you about an issue we found in testing the previews of ASP.NET Core and how we worked with Microsoft to fix it.

Using the .NET JSON Source Generator with ASP.NET Core Minimal APIs

Sun, 28 Nov 2021 00:00:00 +0000

I’ve recently completed upgrading a bunch of personal and work applications to ASP.NET Core 6, and now that the dust has finally settled on those efforts, I thought I’d look into a new feature of .NET 6 that I hadn’t tried out yet - JSON source generators.

If you haven’t come across them before, C# source generators are a way to write some code that can generate more code during compilation. It’s a form of metaprogramming.

One of the benefits of the new JSON source generator for the System.Text.Json serializer is that it is more performant that the APIs introduced as part of .NET 5. This is because the serializer is able to leverage code that is compiled ahead-of-time (the source generator part) to serialize and deserialize objects to and from JSON without using reflection (which is relatively slow).

It sounds like that could give applications a performance boost at runtime, but how can we use the new JSON source generator with ASP.NET Core Minimal APIs?

GitHub Codespaces Gotchas with ASP.NET Core OAuth

Sun, 15 Aug 2021 00:00:00 +0000

This week GitHub Codespaces was made generally available for Teams and Enterprise, and coupled with the release of the ability to open any repository in Visual Studio Code in a web browser just by pressing ., I thought I’d give it a try with some existing projects. In the process I hit a few gotchas that took me a few hours to get to the bottom of. This post goes through some of those and how to resolve them.

Integration Testing ASP.NET Core Resources Protected with Antiforgery Using Application Parts

Tue, 16 Jun 2020 00:00:00 +0000

To protect your POST resources in an ASP.NET Core application from Cross-Site Request Forgery (CSRF) an application developer would typically use the antiforgery features to require an antiforgery token and cookie are included in HTTP POST form requests.

A necessary downside of these protections is that they make it harder to integration test such resources, particularly in a headless manner. This is because the tests need to acquire the antiforgery token and cookie to be able to successfully pass the antiforgery protections on a resource that needs to be tested.

A typical approach for this is to scrape the HTML response from the application for the hidden form field token (often named __RequestVerificationToken) using Regular Expressions and then using that, along with the cookie, in the request(s) the test(s) make. This can however make tests brittle to change, particularly if the UI is refactored.

In this blog post I’ll discuss an alternate approach using ASP.NET Core Application Parts that can make such tests easier to author and maintain, allowing you to concentrate on the core logic of your tests, rather than boilerplate setup.

Integration testing AWS Lambda C# Functions with Lambda Test Server

Mon, 11 Nov 2019 00:00:00 +0000

Lambda Test Server is a .NET Core 3.0 library available from NuGet which builds on top of the TestServer class in the Microsoft.AspNetCore.TestHost NuGet package to provide infrastructure to use with end-to-end/integration tests for .NET Core AWS Lambda Functions using a custom runtime.

The example below shows how Lambda Test Server can be used to write an xunit integration test for a simple C# Lambda function that reverses an array of integers:

[Fact]
public static async Task Function_Reverses_Numbers()
{
 // Arrange
 using var server = new LambdaTestServer();
 using var cancellationTokenSource = new CancellationTokenSource(TimeSpan.FromSeconds(1));

 await server.StartAsync(cancellationTokenSource.Token);

 int[] value = new[] { 1, 2, 3 };
 string json = JsonConvert.SerializeObject(value);

 LambdaTestContext context = await server.EnqueueAsync(json);

 using var httpClient = server.CreateClient();

 // Act
 await ReverseFunction.RunAsync(httpClient, cancellationTokenSource.Token);

 // Assert
 Assert.True(context.Response.TryRead(out LambdaTestResponse response));
 Assert.True(response.IsSuccessful);

 json = await response.ReadAsStringAsync();
 int[] actual = JsonConvert.DeserializeObject<int[]>(json);

 Assert.Equal(new[] { 3, 2, 1 }, actual);
}

The source is available in GitHub - pull requests are welcome!

Further samples for using the library with xunit are available in GitHub here: https://github.com/martincostello/lambda-test-server/tree/main/samples

Using Refit with the new System.Text.Json APIs

Sun, 16 Jun 2019 00:00:00 +0000

I’m a big fan of the Refit library for calling HTTP APIs from my .NET applications.

It uses code generation to let you do simple HTTP calls using interfaces and uses JSON.NET under-the-hood to handle serializing and deserializing JSON.

For example, to get a repository from the GitHub API you could define these types:

public class Organization
{
 [JsonProperty("login")]
 public string Login { get; set; }

 [JsonProperty("id")]
 public long Id { get; set; }

 // ... other properties
}

[Headers("Accept: application/vnd.github.v3+json", "User-Agent: My-App/1.0.0")]
public interface IGitHub
{
 [Get("/orgs/{organization}")]
 Task<Organization> GetOrganizationAsync(string organization);
}

Then you could call the API like this:

var client = RestService.For<IGitHub>("https://api.github.com");
var org = await client.GetOrganizationAsync("dotnet");

This week .NET Core 3.0 preview 6 was released, and with that the new System.Text.Json APIs. These new APIs are designed to be more performant and do less allocations that JSON.NET, so should bring performance benefits to applications that use them.

So what should you do if you want to use the new System.Text.Json APIs with Refit?

Prototyping Sign In with Apple for ASP.NET Core

Mon, 10 Jun 2019 00:00:00 +0000

Last week at Apple’s WWDC 2019 conference, Apple announced a forthcoming service for enabling users to log into apps and services using their Apple ID, Sign In with Apple.

The main points of note about the new service are:

Users can sign in without having to give their email address to a third-party;
It will be required as an option in the future for apps that support third-party sign-in.

Just one day after the announcement at WWDC19, @leastprivilege of Identity Server fame, opened a GitHub issue over at the AspNet.Security.OAuth.Providers repository requesting a provider to support Sign In with Apple.

While the issue was opened slightly tongue-in-cheek, it’s a valid start to the conversation about investigating support for this new technology (or not).

I’ve recently become a maintainer of the aspnet-contrib organisation in GitHub.com, which provides a suite of community-written providers for various OAuth 2.0 and Open ID 2.0 third-party authentication providers. Over the last few years I’ve made a number of contributions; for an Amazon Login provider, and most recently starting the work to add support for ASP.NET Core 3.0.

Given the community discussion and appetite, some previous experience implementing Apple Pay JS for ASP.NET Core, and some shiny new technology to play with, last I decided to try my hand at adding support for Sign In with Apple for ASP.NET Core myself via AspNet.Security.OAuth.Providers.

Pseudo-localization with ASP.NET Core

Mon, 17 Dec 2018 00:00:00 +0000

Earlier this year I read a blog post by Tim Brandall at Netflix about how they use pseudo-localization to test the User Interfaces of their various native applications for layout issues. For example, text in languages such as German and Finnish can be up to 40% longer than their English equivalents, causing text overflow in UI elements that don’t account for such differences.

A simple example of pseudo-localisation would be changing the text of the sentence below.

The quick brown fox jumped over the lazy dog

With transformations to lengthen the text, apply accents and surround it in brackets applied, it becomes:

[Ţĥéẋ ǫûîçķẋẋ ƀŕöŵñẋẋ ƒöẋẋ ĵûɱþéðẋẋ öṽéŕẋẋ ţĥéẋ ļåžýẋẋ ðöĝẋẋ]

I found the approach particularly interesting, so wondered how I could look at using it in my own day-to-day work.

SQL LocalDB Wrapper v2 - The Next Generation

Tue, 02 Oct 2018 00:00:00 +0000

After over 2 years and 100,000 package downloads since the last release of SQL LocalDB Wrapper, I’ve released version 2 to NuGet.

Version 2.0.0 of SQL LocalDB Wrapper is a major rewrite of version 1.x.x, and is now fully .NET Core compatible. You can read more about the changes in the release notes.

Writing Logs to xunit Test Output

Sun, 30 Sep 2018 00:00:00 +0000

Today I’ve published a NuGet package that simplifies the mechanics of writing logs to the test output for xunit tests, MartinCostello.Logging.XUnit v0.1.0. It’s open-source with an Apache 2.0 licence and available on GitHub.

Pull Requests and questions are welcome over on GitHub - I hope you find it useful!

Deploying a static website to Azure Storage from AppVeyor

Sat, 30 Jun 2018 00:00:00 +0000

This week the Azure storage team finally announced that Azure Storage now support hosting static websites. This has been a long-standing request from users of Azure (for nearly 4 years), so it’s great to see something now available for use, even if at the time of writing it’s currently only in public preview.

I’ve been hosting this blog in AWS for almost a year now, so I thought I’d give the public preview a try and automate deployment with AppVeyor as well at the same time.

Upgrade to ASP.NET Core 2.1 for Productivity and Performance Gains

Sat, 23 Jun 2018 00:00:00 +0000

I’ve been using .NET Core since it was released back in June 2016 as my development technology of choice for my personal projects, as well as helping introduce it as a mainstream technology choice at Just Eat (my employer at the time of writing).

I find it so much more pleasurable to code against compared to “traditional” ASP.NET. With features such as self-hosting, built-in dependency injection and a high level of testability, you can really focus on solving the domain problem at hand, rather than worrying too much over boilerplate and ceremony.

Each new release, both major and minor, brings something new to geek-out over, but ASP.NET Core 2.1 has been a particular stand-out so far for new features and benefits that I find really compelling as a software developer.

ASP.NET Core 2.1 – Supercharging Our Applications 🚀

Thu, 14 Jun 2018 00:00:00 +0000

This blog post was originally published by me on the Just Eat Tech blog.

Introduction

ASP.NET Core 2.1 was released by Microsoft at the end of May, and last week we deployed two consumer-facing applications upgraded to use ASP.NET Core 2.1 to production for the first time.

These applications have now been run in production for an entire weekend of peak traffic, and we’ve seen some great performance improvements – in some cases improving average response times by over 40%.

Reliably Testing HTTP Integrations in a .NET Application

Tue, 03 Oct 2017 00:00:00 +0000

Over the past few months I’ve been working on some new ASP.NET Core applications in my day job at Just Eat, and as part of that devised a new strategy for integration testing the applications with respect to their HTTP dependencies.

I’ve written a blog post about the problems I faced and how I went about solving them here.

Reliably Testing HTTP Integrations in a .NET Application

Mon, 02 Oct 2017 00:00:00 +0000

This blog post was originally published by me on the Just Eat Tech blog.

Introduction

Testing HTTP dependencies in modern web applications is a common problem, but it’s also something that can create difficulty for authoring reliable tests. Today, we’re open-sourcing a library to help reduce the friction many developers have with this common requirement: JustEat.HttpClientInterception. You can find the repository in our GitHub organisation and can find the package available to download at JustEat.HttpClientInterception on NuGet.org.

Migrating to Amazon S3

Mon, 28 Aug 2017 00:00:00 +0000

Since I set up my blog in March 2014, it’s been running in IIS as part of an Azure App Service. Initially this was required as the blog was originally a WordPress site, so a server was required to run the PHP code for WordPress. However when I got fed up with keeping WordPress up-to-date and migrated to a static Middleman site, I left it hosted in Azure. This was mainly because it was the easiest option, as that’s where it was already, but also because this allowed me to specify HTTP response headers still, such as for X-Frame-Options.

At the end of the day though, this blog is still statically generated, and running a whole web server (actually two, one in Azure’s East US datacentre, another in UK South) is just overkill. Given that Amazon S3 supports static website hosting, I thought I’d migrate it to an S3 bucket instead.

Publishing My First Alexa Skill

Mon, 20 Feb 2017 00:00:00 +0000

A few weeks ago at work it was our quarterly Hackathon. After a dearth of ideas I thought of an idea to extend our Alexa app to incorporate something I’ve been working on in the office over the last few months. Over the course of a few days a colleague and I tweaked the skill and achieved our aim, which was pretty fun. Did I mention we also won the technical category?

Off the back of that success I thought I’d have a go at writing my own skill, which was finally accepted into the Alexa Skill Store on the 14th February after it’s third round of certification tests. It’s a fairly simple skill with just two “intents” that allows you to either ask about current disruption on any London tube line, the London Overground or the DLR, or for just a specific line. It’s also 100% open-source, hosted on GitHub. The free AWS Lambda tier also makes it free to run (unless the skill becomes wildly popular…).

Now the dust has settled and I’ve got some free time, I thought I’d do a blog post about how I got started with Alexa and the idea for the skill, how I coded it and set up the Continuous Integration, how I got it through the certification tests and, finally, setting up monitoring for it in production.

BrowserStack Automate API Client v2

Tue, 18 Oct 2016 00:00:00 +0000

I’ve just released version 2.0.1 of the BrowserStack Automate .NET client open source project that I maintain on GitHub.

Apple Pay JS

Mon, 10 Oct 2016 00:00:00 +0000

I’ve been working on an integration of the new Apple Pay JS SDK over the last few months. If you’d like to read about it, check out my post here.

Bringing Apple Pay to the web

Mon, 10 Oct 2016 00:00:00 +0000

This blog post was originally published by me on the Just Eat Tech blog.

Introduction

Back in June at WWDC, Apple announced that Apple Pay was expanding its reach. No longer just for apps and Wallet on TouchID compatible iOS devices and the Apple Watch, it would also be coming to Safari in iOS 10 and macOS Sierra in September 2016.

Just Eat was a launch partner when Apple Pay was released in the UK in our iOS app in 2015. We wanted to again be one of the first websites to support Apple Pay on the web by making it available within just-eat.co.uk. Our mission is to make food discovery exciting for everyone – and supporting Apple Pay for payment will make your experience even more dynamic and friction-free.

Alberto from our iOS team wrote a post about how we introduced Apple Pay into our iOS app last year, and this post follows on from that journey with a write-up of how we went about making Apple Pay available on our website to iOS and macOS users with the new Apple Pay JS SDK.

This Blog Is Now Open Source!

Mon, 30 Nov 2015 00:00:00 +0000

TL;DR - This blog is now hosted on GitHub.com!

Why I Switched From WordPress To Middleman

Thu, 18 Jun 2015 00:00:00 +0000

A few years ago I thought I’d set up a blog. Initially I created a blog in Blogspot but I decided some time later that I’d rather host it myself with custom DNS, etc., mainly as a learning exercise. As I’m mostly a developer in the Microsoft stack, I decided I’d set it up in Windows Azure as an Azure Website (now a “Microsoft Azure Web App”) as that was something I knew of and knew a little about. A few clicks through a wizard later and I had a WordPress blog running in Azure, backed by a MySQL database. Great - time to get blogging!

Flash-foward a few years, and I had a sum total of one solitary blog post. Yeah, so I’d been a bit slack on the whole writing a blog thing. However I’ve got an idea for a second blog post that I’ve been procrastinating over writing for a while, so I thought I’d start on that (aside: this isn’t that blog post, that’s coming soon). By this point I’d grown two different Azure subscriptions and the blog was running in the wrong one and I was starting to hit limits on my free Azure credits due to other usage, so I figured I’d switch it around. The problems begin.

Ensuring Your ASP.NET Website Is Secure

Tue, 04 Mar 2014 00:00:00 +0000

So recently I’ve been doing some work ensuring some websites I work on are secure. This has been from a mix of hands-on testing of them myself, dealing with feedback from dedicated security testers testing the applications, and this week attending an “ASP.NET Secure Coding” training course.

From my own testing I found the odd thing here and there during development based on what I’ve read in the past is best-practice. These were exclusively application/coding changes. Fixing these was a mix of “Oh yeah” realisations or a quick Google leading to MSDN or Stack Overflow, leading to some simple one-line changes here and there.

The same was true of the results from the dedicated security testers. This was slightly more work, as they were very good at saying “X is an issue”, but almost useless at saying how to fix it. They also did some tests which were more of the server and network configuration, which in some cases fell out of my personal work remit. However, a secure app is a secure app, meaning that you just can’t ignore it because it’s not controllable by the code. This meant yet further reading to find out how to fix the software issues, as well as reading further afield to find out how to fix the server and network configuration issues as well.

Then there was the security testing course. The title was a bit of a misnomer, as it wasn’t so much “how to code securely” as “how to find security problems”. It was very useful as it was quite eye-opening to discover what seemingly innocent “oh that’s not important” small niggly things could, in the hands of a skilled “hacker”, actually lead to your machine being completely owned by an attacker.

However, after three rounds of realisation, fixing and testing, there was one common theme I found with all of this - there was no central resource detailing how to fix all of the issues that came up. There were a lot of resources where just one problem would be described (and sometimes a fix for it described), but a lot of the time there’d be a page about a problem, but you’d need to go to a completely different one for the fix. Some required some creative Googling to find, others were right there (if you knew what you were looking for).

So, Dear Reader, why have I written this? Well, I thought it would be a good idea to collate all the stuff that’s best practice into a single blog post, and then include for each one the instructions of how to fix it. Helpful right? Well, at least I hope so.

About Me

Mon, 01 Jan 0001 00:00:00 +0000

Error

Mon, 01 Jan 0001 00:00:00 +0000

Not Found

Mon, 01 Jan 0001 00:00:00 +0000

Martin Costello's Blog

Levelling Up Security with the GitHub Secure Open Source Fund

Continuous Benchmarks on a Budget

What's New for OpenAPI with .NET 9

Look ma, no Dockerfile! 🚫🐋 - Publishing containers with the .NET SDK 📦

.NET Native AoT Make AWS Lambda Function Go Brrr

Upgrading to .NET 8: Part 6 - The Stable Release

Upgrading to .NET 8: Part 5 - Preview 7 and Release Candidates 1 and 2

Upgrading to .NET 8: Part 4 - Preview 6

Upgrading to .NET 8: Part 3 - Previews 1-5

Upgrading to .NET 8: Part 2 - Automation is our Friend

Upgrading to .NET 8: Part 1 - Why Upgrade?

Improving ASP.NET Core Before It Ships 🚢

Using the .NET JSON Source Generator with ASP.NET Core Minimal APIs

GitHub Codespaces Gotchas with ASP.NET Core OAuth

Integration Testing ASP.NET Core Resources Protected with Antiforgery Using Application Parts

Integration testing AWS Lambda C# Functions with Lambda Test Server

Using Refit with the new System.Text.Json APIs

Prototyping Sign In with Apple for ASP.NET Core

Pseudo-localization with ASP.NET Core

SQL LocalDB Wrapper v2 - The Next Generation

Writing Logs to xunit Test Output

Deploying a static website to Azure Storage from AppVeyor

Upgrade to ASP.NET Core 2.1 for Productivity and Performance Gains

ASP.NET Core 2.1 – Supercharging Our Applications 🚀

Introduction

Reliably Testing HTTP Integrations in a .NET Application

Reliably Testing HTTP Integrations in a .NET Application

Introduction

Migrating to Amazon S3

Publishing My First Alexa Skill

BrowserStack Automate API Client v2

Apple Pay JS

Bringing Apple Pay to the web

Introduction

This Blog Is Now Open Source!

Why I Switched From WordPress To Middleman

Ensuring Your ASP.NET Website Is Secure

About Me

Archive

Error

Not Found