Email us +1 (628) 250-2591

Zero-trust security, for every web app

Security Need Not Be Hard

Rapidly build APIs, with HMAC, MFA, granular access control, IP-firewall, rules-based suspension – without prior experience.

Show me an example
Learn more

Unobtrusive Checks, Low Code

Mixing business logic with security checks leads to holes, resulting in data breaches. Keep it tidy and focussed with convention-based declarative checks.

Show me an example
Learn more

Ship Prototypes Early

Jump straight into developing the business features using source packages

That come with full implementation of profile/user management/admin APIs and MVC portals.

Show me an example
Learn more

Proven Tech

Crucial API platforms like ISCP (Forge Trust), which has 1.3 M+ IRA accounts and $13 BN+ assets under custody, are using ASPSecurityKit to protect their users and data.

Get started on the web platform of your choice

Create the project using the API template

With its interface-driven design, ASK gives you freedom to define data access layer for security the way you want, including repositories and even entity models like User and permit. An implementation as source code is provided via the source packages (an essential one is included within the template).

With the Protect filter, you inject the ASK's security pipeline which subjects every incoming request to every action of your web app to a range of security checks.

The pipeline's zero-trust nature requires that you explicitly opt-out actions from checks you don't need. For example, here using AllowAnonymous, VerificationNotRequired and SkipActivityAuthorization attributes to opt out of authentication, verification and activity authorization checks, respectively:

The activity data authorization (ADA) gives you a convention-based approach to authorize actions and the data sent for those actions, without writing any code in most cases:

Create the project using the MVC template

With its interface-driven design, ASK gives you freedom to define data access layer for security the way you want, including repositories and even entity models like User and Permit. An implementation as source code is provided via the source packages (an essential one is included within the template).

With the Protect filter, you inject the ASK's security pipeline which subjects every incoming request to every action of your web app to a range of security checks.

The pipeline's zero-trust nature requires that you explicitly opt-out actions from checks you don't need. For example, here using AllowAnonymous, VerificationNotRequired and SkipActivityAuthorization attributes to opt out of authentication, verification and activity authorization checks, respectively:

The activity data authorization (ADA) gives you a convention-based approach to authorize actions and the data sent for those actions, without writing any code in most cases:

Create the project using the ServiceStack template

With its interface-driven design, ASK gives you freedom to define data access layer for security the way you want, including repositories and even entity models like User and Permit. An implementation as source code is provided via the source packages (an essential one is included within the template).

With the ASPSecurityKitFeature (a ServiceStack plugin), you inject the ASK's security pipeline which subjects every incoming request to every operation of your web app to a range of security checks.

The pipeline's zero-trust nature requires that you explicitly opt-out operations from checks you don't need. For example, here using AllowAnonymous, VerificationNotRequired and SkipActivityAuthorization attributes to opt out of authentication, verification and activity authorization checks, respectively:

The activity data authorization (ADA) gives you a convention-based approach to authorize operations and the data sent for those operations, without writing any code in most cases:

Protect your server application

with a comprehensive security pipeline

built on zero-trust model

Multiple stages of checks and verifications with events, hooks & settings to alter the existing and inject custom checks at any stage

Cross-Site Scripting (XSS)

Detect/resist XSS injections and holistically sanitize data across various subsystems (emails, APIs, back-end/front-end).

Authentication

Allow multitude of clients (browsers, mobile apps, IoT devices, backend jobs, third-party services) to connect securely using schemes like HMAC, cookies, service key and identities such as site keys, feature keys and sessions.

IP Firewall

Restrict access to only secure networks or machines for not just automated API key based calls, but for any identity (including user sessions, to protect high-privileged user accounts).

Show me an example

Multi-Factor Auth (MFA)

Protect user accounts with MFA (2FA) checks – enforce MFA as a policy on users, opt out specific users, operations or networks from MFA verification.

Show me an example

User Account Verification

Limit access to the system until user's contact details (such as email/mobile) are verified. Opt out certain operations (such as user profile) from verification check. Get end-to-end implementation of email verification workflow.

Show me an example

Activity-Data Authorization (ADA)

Authorize callers for not just actions but also for the data on which actions are being performed, with a convention-based ADA component that automatically determines permissionCodes and discovers sensitive data fields in requests, and gives you various options to override the default conventions.

Show me an example

Suspension

Suspend not just users but operations on all kinds of entities – such as financial accounts, contacts, etc. for reasons such as KYC required, fraud detected, OFAC. Allow certain operations on suspended entities such as read-only access, upload KYC document.

Show me an example

"BHIS would like to commend Forge Trust on their implementation of the authorization header. The dynamic nature of this header helps to secure the application by preventing replay attacks and request tampering."

— from PENTest performed by Black Hills Information Security on ISCP powered by ASPSecurityKit (referring to HMAC scheme).

Cut cost, ship fast

ASPSecurityKit cuts the time it takes to develop secure web applications and APIs by 20%.

Without writing a single line of code, get implementation of several important common workflows including,

and much more, right into your project as source code – models, views, controllers or API endpoints with best practices (async, managers, dependency injection, error handling)!

"ASPSecurityKit has saved us hundreds of developer hours and thousands of Pounds. I was blown away by the speed at which our developer single-handedly developed a complex multi-tenanted, multi-user order lifecycle management web application for a prestigious client in record time."

Ross Williams, founder at Rosscom – a web design and development company (London, U.K.)

Create marketplace systems

(connecting buyers / sellers)

or hierarchical systems

(as in an organization chart)

or a mix of these with ease.


Financial System

  • Above architecture represents an IRA custodian cloud system like ISCP that has multiple institutional tenants in form of asset providers, individual IRA clients and a custodian. Both providers and custodian have multiple kinds of users representing various business roles.
  • XSS, MFA, IP Firewall, ADA are the various checks enforced by the ASPSecurityKit's multi-stage security pipeline.
  • HMAC, ServiceKey, ServiceHMAC, AuthCookie are the authentication schemes supporting different integration scenarios with client apps/third-party services, referring identities such as user sessions, site-to-site API keys to authenticate.
  • ADA is a unique access control mechanism that gives you convention-based, granular control on what operations a caller can execute and on what data it can execute those operations.

Marketplace System

  • Above architecture represents an ECommerce marketplace cloud system that has multiple institutional tenants in form of sellers, individual/institutional buyers and the ECommerce company. The institutional clients and ECommerce company have multiple kinds of users representing various business roles.
  • XSS, MFA, Suspension, Verification, ADA are the various checks enforced by the ASPSecurityKit's multi-stage security pipeline.
  • HMAC, ServiceKey, AuthCookie are the authentication schemes supporting different integration scenarios with client apps/third-party services, referring identities such as user sessions, site-to-site API keys to authenticate.
  • ADA is a unique access control mechanism that gives you convention-based, granular control on what operations a caller can execute and on what data it can execute those operations.

Developer Portal

  • Above architecture represents a developer portal supporting different grades of API subscriptions, giving access to only the portion of docs included within the subscribed plan, made possible by the granularity of ASK's ADA feature.
  • XSS, MFA, ADA are the various checks enforced by the ASPSecurityKit's multi-stage security pipeline.
  • HMAC, AuthCookie are the authentication schemes supporting different integration scenarios with client apps/third-party services, referring identities such as user sessions, site-to-site API keys to authenticate.
  • ADA is a unique access control mechanism that gives you convention-based, granular control on what operations a caller can execute and on what data it can execute those operations.

Protect against today's threat landscape;

harden against OWASP Top Ten

and be prepared against evolving future threats with regular library updates and expert guidance

Strong Password Hashing

Strong Password Hashing

Password hashing using PBK salted hashing protecting against dictionary attacks. Change the default hashing algorithm with ease

password Blocking

Password Blocking

Detect and protect user data when account credentials are compromised (Credential hijacking)

Suspend

Suspend User

Revoke access temporarily or permanently of unruly users

Request Integrity

Request Integrity

Protect against request tampering and man-in-the-middle attacks

Request Expiration

Request Expiration

Detect and prevent request replay attacks and define request life-time

 integrator Identification

Integrator Identification

Detect and reject connections from integrating institutional clients based on origin white lists

Key Leakage

Key Leakage

Protect sensitive API Keys from being used from browser and non-white listed IPs

XSS

XSS

Components and guidance to implement End-to-end protection against XSS

Feature Hiding

Feature Hiding

Manage access and visibility of menus, actions and pages based on privilege level of users with the permission-based authorization

ASPSecurityKit is,

an outcome of a decade of experience in developing security features in projects for clients ranging from multi-billion financial institutions, private healthcare, insurance, to hospitality, manufacturing, classified crypto marketplaces and customer support services.

Some of our clients

IRA Services (Forge Trust)
Kirwin & Simpson
Crowe LLP
PerformTel Support
Gluco (Cloudstick Technologies)
Myriad Inc.
Ernst & Young