|
Security for Microsoft Visual Basic .NET Authors: Robinson E., Bond M.J Published year: 2003 Pages: 45-48/168 |
The perception by users that your Web site is secure is almost as important as actually securing it. Here are some basic principles for securing Web sites:
Use SSL and https for all sensitive data that users submit.
Allow users to browse your site anonymously, and require users to log in with a password before making a purchase or displaying any personal information. This helps prevent someone who has unauthorized access to a user ’s machine from accessing private information stored in your system.
Handle credit card and payment information sensitively. Ask users for permission before storing credit card information for return visits . If your site confirms credit card information, it might be sufficient to show only the last four digits of the credit card. This is enough for users to confirm your site is using the right card, without needlessly passing around the complete information.
Don’t require people to enter more information than they’re comfortable giving. For example, if they’re downloading trial software, do you really need to collect their phone number and other personal information?
Use unsolicited e-mail sparingly. Many people regard any form of unsolicited e-mail as spam, no matter how valuable you think the information is. Receiving unsolicited e-mail will make them wary of your site.
Protect people’s privacy. Formulate a privacy policy, display it on your site, and make sure you adhere to it.
What is a Web application? When asked this, most people think of an ASP, ASP.NET, PHP, or JSP application or perhaps a Web service. The defining feature of a Web application is the transport, not the technology used to implement it. Both traditional Web sites and Web Services use http as their transport. The effect of this is that http is becoming overloaded—not only is it used for delivering Web pages, but it’s also used for delivering rich information such as passwords and Web services. This means that applications need to be secured along with the network perimeter. As you’ve seen in this chapter, there are simple steps you can take to secure Web applications, and these are discussed in more detail in Chapter 11 and Chapter 13.
This chapter brings to a close the first section of this book, with guidelines for applying practices to secure Web form applications and Web services. Many chapters in this first section only scratch the surface of security—you could write an entire book on code-access security, encryption, or ASP.NET authentication and authorization. What this first section does deliver is an understanding of the architecture you can build on. The next section concentrates on specific lower- level coding and testing techniques for writing secure applications.
Key concepts in this chapter are:
Understanding various forms of attacks that can threaten Microsoft Visual Basic .NET applications
Preventing denial of service (DoS) attacks
Preventing directory-based or file-based attacks
Preventing SQL injection and cross-site scripting attacks
Executing child applications safely when using shell statements
Before you can start writing hack-resistant code or fortifying existing code against attack, you must first understand the types of attacks you are defending your code against. This chapter enumerates the attacks your Visual Basic .NET code is most vulnerable to. For each form of attack, techniques for avoiding the attack are presented.
Generally, attacks on shared networks or Internet systems and applications are launched at two different levels: system and application. This chapter focuses on application-level attacks, and more specifically on areas where Visual Basic .NET applications are vulnerable to attack. Chapter 11 and Chapter 12 provide techniques for defending your systems and databases against system-level attacks.
|
Security for Microsoft Visual Basic .NET Authors: Robinson E., Bond M.J Published year: 2003 Pages: 45-48/168 |