I am currently working on an ASP.NET 3.5 and C# web application which deals with users private information like SSN numbers. What are some of the security measures which I need to take from an application development stand point to feel safe?
views:
43answers:
4
+1
A:
If you will require sensible information from user by a web form it should be protected by SSL (https url). This help you to secure the communication channel between the browser and your server.
You shouldn't store on your database private and sensible information unless it's strictly necessary and if you have to do it of course you have to store it encrypted.
Claudio Redi
2010-05-20 17:27:33
+1
A:
Well, besides the obvious issue of using encryption, I've been told that it's a good practice to avoid having the user's state as part of a class, especially in an external code library.
Eg: Instead of this:
public class secretClass()
public sub new(ssn as string)
_ssn = ssn
end sub
public function getMedicalHistory() as DataSet
' Get private information
End Function
End Class
Use this:
public class secretClass()
public sub new()
End Sub
Public Function getMedicalHistory(p_ssn as string) as DataSet
' Get private information
End Function
End Class
By doing this, you make it more difficult for a malicious hacker to steal private information by somehow gaining control of the secretClass object.
Rice Flour Cookies
2010-05-20 17:31:21
+1
A:
Disable remote logon to your database, use several code analysis tools (code coverage and static analyzers), force strong password requirements for logging into the systems, encrypt all data with at least an SHA-1 encryption scheme; MD5 is found to be far too weak according to government requirements.
Woot4Moo
2010-05-20 17:33:42
+1
A:
To secure your application you will need to understand the threats it will face and then develop appropriate mitigation techniques. A good place to start would be by creating a threat model.
Have a look at some of these resources:
bignum
2010-05-20 18:48:15