rand9 is the brainchild of BJ Neilsen; Software Developer, Designer, Outdoor Enthusiast, Husband, and Father of two. Hi.
I love to focus on creating and deploying complex web systems. The internet has been my canvas for over a decade. I'm constantly reﬁning development practices to implement smart, fast, and efficient solutions. I excel at building software that brings the right experience to the customer.
While the majority of my career focus has been on the web platform, recent projects have taken me into the mobile development arena, most notably for the iPhone platform. For an exhaustive look at my technical DNA, please refer to my résumè.
And no, I don't tweet.
All content © 2008-2010 rand9 Technologies, LLC
The issue of creating a secure Web application is very broad because it requires a study to understand the security vulnerabilities. You also need to become familiar with the security capabilities that provide Windows, .NET Framework and ASP.NET. Finally, it is vital to understand how to use these security features to counter threats.
Although many security experience you have not, there are some basic steps that should be taken to protect any Web application. The following list provides minimum security guidelines that apply to all Web applications and that should be followed:
|For complete and detailed security guidelines to help you design, develop, configure and deploy more secure ASP.NET Web applications, see the security modules provided in JTAutoSecurity Co UK.|
In many applications, users have access to the site anonymously (without having to provide credentials). If so, the application accesses resources when running in the context of a predefined user. By default, this context is the local ASPNET user (Windows 2000 or Windows XP) or the user NETWORK SERVICE (Windows Server 2003) of the Web server computer. To restrict access only to users who have authenticated, follow these instructions:
As a general rule, you should never assume that input from users is safe. A malicious users find it easy to send potentially dangerous information from the client to the application. To protect against malicious entries, follow these instructions:
|The view state is stored in a hidden field in an encrypted format, by default, it includes a message authentication code (MAC) for the page to determine whether it has been tampered with view state. If confidential information is stored in view state, encrypt setting the property ViewStateEncryptionMode page to true .|
Typically, databases have their own security systems. An important aspect of a protected Web application is to design a way that it can access the database securely. Follow these instructions:
For more information on how to access data securely, see Protecting access to data and protect ADO.NET applications .
If you are not careful, a malicious user can deduce important information about the application from the error messages it displays. Follow these instructions:
Confidential information is any information that you want to keep private. An example of confidential information is a password or an encrypted password. If a malicious user gets to the confidential information, protected data will be exposed. Follow these instructions:
Cookies are a useful way to store specific information available about users. However, as sent to the browser on your computer, they are vulnerable to theft or other malicious uses. Follow these instructions:
An indirect way that an attacker can compromise an application is making it unavailable. The malicious user can keep the application too busy to that can serve other users, or you can simply block it. Follow these instructions:
<System.web> <HttpRuntime maxRequestLength = "4096" /> </system.web> </ Configuration>
You can also use the property RequestLengthDiskThreshold to reduce memory overhead of large loads and returns forms.