The perception by users that your Web site is secure is almost as important as actually securing it. Here are some basic principles for securing Web sites:
Use SSL and
Allow users to browse your site anonymously, and require users to log in with a password before making a purchase or displaying any personal information. This helps prevent someone who has unauthorized access to a
Handle credit card and payment information sensitively. Ask users for permission before storing credit card information for return
Don’t require people to enter more information than they’re comfortable giving. For example, if they’re downloading trial software, do you really need to collect their phone number and other personal information?
Use unsolicited e-mail sparingly. Many people regard any form of unsolicited e-mail as spam, no matter how
What is a Web application? When asked this, most people think of an ASP, ASP.NET, PHP, or JSP application or perhaps a Web service. The defining feature of a Web application is the transport, not the technology used to implement it. Both traditional Web sites and Web Services use http as their transport. The effect of this is that http is becoming overloaded—not only is it used for delivering Web pages, but it’s also used for delivering rich information such as passwords and Web services. This means that applications need to be secured along with the network perimeter. As you’ve seen in this chapter, there are simple steps you can take to secure Web applications, and these are discussed in more detail in Chapter 11 and Chapter 13.
Key concepts in this chapter are:
Understanding various forms of attacks that can threaten Microsoft Visual Basic .NET applications
Preventing denial of service (DoS) attacks
Preventing directory-based or
Preventing SQL injection and cross-site scripting attacks
Executing child applications safely when using shell statements
Before you can start writing hack-resistant code or fortifying existing code against attack, you must first understand the types of attacks you are defending your code against. This chapter enumerates the attacks your Visual Basic .NET code is most vulnerable to. For each form of attack, techniques for avoiding the attack are presented.
Generally, attacks on shared networks or Internet systems and applications are launched at two different levels: system and application. This chapter focuses on application-level attacks, and more