Achieving Security by Design

Build safer applications by making security a fundamental part of architecture

Posted by Hüseyin Sekmenoğlu on May 24, 2021 Application Security

Modern software development offers powerful tools and countless opportunities. As you incorporate cloud computing and emerging technologies like AI, big data and Industry 4.0, you also increase the complexity of maintaining secure environments.

This complexity brings responsibility. The role of the software architect has evolved to meet global demands for privacy, compliance and security. Regulations like GDPR have changed how we build software, not only in Europe but globally. As an architect, you need to understand these implications and apply security as a core design principle.

Security by design is not optional. You must work closely with information security specialists to enforce policies that protect confidentiality, privacy, integrity, authenticity and availability.

🔐 ASP.NET Core and Built-in Security Tools

ASP.NET Core provides excellent support for security concerns. You’ll find features for authentication, authorization, data protection, cookie policies and GDPR compliance.

You can also enhance your understanding by reviewing the OWASP Cheat Sheet Series at owasp.org, which outlines security best practices for .NET and beyond.

🧭 Practical Guidelines for Secure Architecture

Here are key practices to help you embed security into your application architecture.

🔑 Authentication

Choose an authentication strategy that fits your app and its audience.

  • ASP.NET Core Identity: Use for standard login flows

  • External providers: Integrate Facebook, Google or others

  • Azure Active Directory: Ideal for enterprise B2B or B2C scenarios

  • MFA (Multi-Factor Authentication): Require additional identity proof

  • JWT (JSON Web Tokens): Use for securing APIs with cross-platform support

🧾 Authorization

Determine what users can access with one of the following models:

  1. Simple: Use [Authorize] on controllers or methods

  2. Role-Based: Assign user roles to control access

  3. Claims-Based: Validate custom user attributes

  4. Policy-Based: Define detailed access policies

Use [AllowAnonymous] only when necessary and safe. Be mindful of exposing endpoints.

🧬 Handling Sensitive Data

Decide what data needs protection and use appropriate tools:

  • Azure Key Vault: Store and manage application secrets securely

  • Azure Storage with encryption: Store sensitive blobs or structured data

  • Field-level encryption: Apply extra protection when required

These choices ensure that sensitive information stays protected even during breaches.

🌐 Web Security Best Practices

Your production system must enforce HTTPS. Never allow unsecured access.

Protect against common threats:

  • Cross-Site Request Forgery (CSRF)

  • Cross-Site Scripting (XSS)

  • Open Redirects

  • SQL Injection: Always use parameterized queries

Use built-in ASP.NET Core APIs and middleware to block these vulnerabilities.

Refer to Azure Architecture Security Patterns for proven strategies.

🧅 Layered Security and Disaster Recovery

Security should follow the onion model, applying multiple layers:

  • Application layer: Secure APIs, validate inputs

  • Data layer: Encrypt sensitive fields

  • Infrastructure layer: Harden networks, isolate resources

  • Physical access: Limit access to environments

  • Recovery layer: Prepare for disaster recovery and business continuity

A well-designed system doesn't just prevent attacks. It also recovers gracefully when things go wrong.