Appendix A: Security and ASP.NET Web Applications
|
Overview
In this appendix, I ll outline security issues that you need to be aware of and take into account when you create a Microsoft ASP.NET Web application. Web security is a huge area of study you can find entire books devoted to the topic, such as the 528-page tome Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard (Microsoft Press, 2000). I won t be able to turn you into a Web security guru in this appendix, but I ll try to familiarize you with the most important security issues for Web applications. I ll provide you with some guidelines and procedures for adding security to your Web applications.
I ll start by reviewing the security precautions you should take if you re hosting a Web site on your own computer. Later in the appendix, I ll talk about how to build security into your applications, whether you host them on your own computer or deploy them to a hosting site.
| Note | By the way, among the computer cognoscenti, the term cracker is preferred for malicious users over the more widespread term hacker, which is used simply to mean skilled programmer. I ll follow that practice here. |
 |
Every Web site, no matter how modest and unassuming, no matter how anonymous it seems, will someday be the target of an attack. You might think that if you re just posting slideshows for the far-flung family or running the membership site for the school s PTA, no cracker would be interested in your site. That s true to some extent: the bad guys might not have it in personally for you and your site. But crackers are often just opportunists: many crackers use automated utilities to scan the Internet looking for likely targets. If crackers find a poorly secured site, they might break into it just for fun. Crackers can also turn your computer into a zombie that quietly monitors your Internet connection, waiting for the signal that tells your computer to mount an attack against someone else s site. There s no end to the mischief that some people can cause when given the opportunity to tamper with an unsecured site.
One way that malicious users find targets is by working off Internet Protocol (IP) numbers. All computers on the Internet are ultimately identified (and accessible) by their IP number, such as 10.231.40.54. Crackers run programs that generate a sequential series of IP numbers and then probe each number to see whether the number represents an actual computer. Because users with cable modems typically have IP addresses within a known range, crackers can concentrate their efforts on the IP addresses likeliest to be associated with computers that are always connected to the Internet.
So it s true that a cracker probably doesn t want to break into your site because of those vacation pictures you posted. What the intruder is really looking for is a computer with a stable connection to the Internet, with a known IP address, and with some vulnerabilities to exploit. If you host a Web site on your computer, you can t do much about the first two items the cracker is seeking because you need those conditions for your site. However, you can do a lot to prevent an intruder from finding the last of the three conditions vulnerability when visiting your computer.
|
|
