tags:

views:

96

answers:

3
+2  Q: 

Public ASP.NET Application Security Considerations

An extremely secure ASP.NET application is having to be written at my work and instead of trawling through the Internet looking for best practices I was wondering as to what considerations and generally what things should be done to ensure a public web application is safe.

Of course we've taken into consideration user/pass combinations but there needs to be a much deeper level than this. I'm talking about every single level and layer of the application i.e.

  • Using URL rewrites
  • Masterpages
  • SiteMaps
  • Connection pooling
  • Session data
  • Encoding passwords.
  • Using stored procedures instead of direct SQL statements

I'm making this a community wiki as there wouldn't be one sole answer which is correct as it's such a vast topic of discussion. I will point out also that this is not my forte by any means and previous security lockdown has been reached via non-public applications.

+1  A: 
  • use forms authentication instead of storing authentication data in session.
  • Obviously: Hash passwords. If you want to be very cautious use SHA1 encryption instead of md5.
Manu  2009-03-12 15:06:49
+2  A: 

You should refine the idea of "stored procedures" into just using parameterized queries. That will take care of most of your problems there. You can also restrict fields on the UI and strip out or encode damaging characters like the pesky ';'...

TheTXI  2009-03-12 15:07:13
added the ui stuff, didn't necessarily need a new post for something along the same lines...
RSolberg  2009-03-12 19:04:19
+2  A: 

That's a bigger toppic than I think you perhaps realise. The best advice is to get someone that already knows who can advise you. Failing that I would start by reading the Microsoft document "Improving Web Application Security: Threats and Countermeasures" but be warned that runs to 919 printed pages.

Martin Brown  2009-03-12 16:43:25
That's handy, thanks.
Kezzer  2009-03-12 19:01:27

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP