Exception Management

Do You Use Structured Exception Handling?

Examine how your application uses structured exception handling. Your design should mandate that structured exception handling be used consistently throughout the entire application. This creates more robust applications and your application is less likely to be left in inconsistent states that can reveal security vulnerabilities.

Do You Reveal Too Much Information to the Client?

Make sure that a malicious user cannot exploit the overly detailed information that an error message contains. Review the following points:

• Do you catch, handle, and log exceptions on the server?

  Make sure that the application does not let internal exception conditions propagate beyond the application boundary. Exceptions should be caught and logged on the server and, if necessary, generic error messages should be returned to the client.

• Do you use a centralized exception management system?

  The best way to handle and log exceptions consistently throughout your application is to use a formalized exception management system. You can also tie this system into monitoring systems that can be used by the operations team for health and performance monitoring.

• Have you defined a set of custom error messages?

  Your design should define the custom error messages will be used by your application when critical errors occur. Make sure they do not contain any sensitive items of data that could be exploited by a malicious user.

For more information about designing and implementing an exception management framework for .NET applications, see MSDN article, "Exception Management in .NET," at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/exceptdotnet.asp .