tags:

views:

46

answers:

3
+5  Q: 

Is there a definitive or idiots guide to implementing strong web security using ASP.Net MVC 2/SQL 2008?

Hello. I'm about to begin building an e-commerce website using c#, ASP.Net MVC 2, IIS7 and SQL 2008. The site will allow users to login, make purchases, and manage their orders. Obviously, there's a need for strong security here. I've been searching around on SO and Google for a single definitive guide that covers enough on security to allow me to...

  1. learn where security needs to be a consideration and...
  2. how to implement it properly on the Windows stack.

This will be my first e-commerce site that I'm building from scratch. Is there a definitive or idiots guide to implementing strong web security for all aspects of an e-commerce site using ASP.Net MVC 2/SQL 2008?

Thanks so much in advance for all your help!

+1  A: 

Please see the MVC Security page on ASP.net

They have a few good videos and their sample applications have been helpful to me.

HTH, Sid

SidC  2010-09-16 19:09:47
+1  A: 

"Definitive" and "idiots guide" seem a little mutually exclusive, but here's a few I've seen before that deal with general ASP.NET security and some specifically for MVC:

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication (Microsoft, MSDN)

Developer Highway Code (Security - MSDN - Microsoft UK)

Improving Web Application Security: Threats and Countermeasures (Microsoft, MSDN)

The HaaHa Show: Microsoft ASP.NET MVC Security with Haack and Hanselman (Microsoft Video)

There's also some tutorials on http://www.asp.net/mvc/security about preventing javascript attacks. Basically this boils down to always HTML encoding any output.

As for SQL 2008, normal best practice would be to use Windows Authentication and only grant read/write access to the tables you have to.

Dan Diplo  2010-09-16 19:13:18
+1  A: 

Start with OWASP.

OWASP is the authority on Web Application Security. Their list of top ten vulnerabilities is the bible for web security.

Try here for OWASP overview: http://www.owasp.org

And here for the OWASP top ten: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

The latter link shows how to protect against these threats including .Net code.

Rap  2010-09-16 19:18:15

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP