Developing a Secure Web-based Application Installation


The concept of the flawless Web-based application installation is a myth. If you secure the application according to every guideline, some user will leave their name and password lying around for the nearest cracker to find. Removing every vulnerability in your application only means that your application is more secure—all of the vulnerabilities left by product vendors are in place. In addition, crackers are usually able to come up with a new vulnerability. Adding firewalls and layers of security will slow a cracker down, but not stop them completely. Having an external hacker consultant test your application will help you find the flaws that hacker is able to find, but you’ll eventually come across a cracker who can find the one hole the hacker didn’t. Training and education reduce security risks, but don’t prevent them, and this assumes the user is even interested in using the training. Most military experts will tell you that you win wars by exploiting the lack of diligence on the part of the opponent—as a defender you require an extra measure of diligence.

However, you can create a secure application installation by looking for the obvious. Crackers are patient; they have hours on end to look for the smallest hole in your security, but like anyone else, they’ll eventually look for an easier target if your Web site proves too difficult to crack. Unfortunately, even this assumes that you haven’t made some outrageous claim about the security of your Web site or done something else to attract attention. In general, it’s best to keep your security strategy as quiet as possible and not attract attention to it.

Simple solutions often mean looking at vulnerability lists output by the leading security experts. For example, the article entitled, “Open Source Group Issues Top Ten Web Vulnerabilities” at http://www.internetnews.com/dev-news/article.php/1568761 provides a

checklist you can use to check your applications. I often combine the lists of several organizations to create my own security checklist. Yearly updates ensure that my checklist doesn’t get too far out-of-date, but means that I don’t spend an inordinate amount of time creating a checklist, rather than performing useful work. Here are some other Web sites you should consider checking:

SANS / FBI Top 20 List http://www.sans.org/top20/

Russ Harvey Consulting Services http://www.russharvey.bc.ca/rhc/websecurity.html

The Top 10/20 Internet Security Vulnerabilities—A Primer https://courseware.vt.edu/marchany/NS2000/top10a.ppt

The Open Web Application Security Project http://www.owasp.org/guide/

Some of these sites also provide advice on how to eliminate the security threats now that you know about them. For example, the SANS site at http://www.sans.org/top20/top10.php tells how you can eliminate the 10 most critical Internet application security threats. Don’t discount advice provided for other operating systems either. Most of that advice works fine for your ASP.NET application.

Tip

The trade press does a good job of covering the latest virus or significant threat. However, you might want to catch up on some of the more subtle threats from time to time. Online newsletters such as Internet Security Review (http://www.isr.net/) can give you a decided advantage when it comes to learning about the next major security threat.




.Net Development Security Solutions
.NET Development Security Solutions
ISBN: 0782142664
EAN: 2147483647
Year: 2003
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net