Stemming the Tide of Leaking Information


Your Web site has a data leak. It doesn’t matter how well you secure the site or whether the people using it are trustworthy, the data leak is there. Many developers discount the problem of data leaks because they think they have followed every security procedure. However, data leaks occur not because of a programming problem, but because of an implementation problem. Displaying any information at all on a Web site causes an information leak for your organization. Of course, since the purpose of a Web site is to provide information to viewers, your application wouldn’t be worth very much without at least a small information leak. In addition, some kinds of information leaks are actually good for your organization, such as when you announce a new product.

Part of your responsibility as a developer is ensuring your design doesn’t leak data that is better left private. For example, make sure your template contains only the information it needs to contain. Of course, the template still has to provide functionality, so you can’t leave it blank. Make sure that you don’t confuse protected company information with essential user information. You still have to make the Web page accessible and it still requires good help to avoid confusing the user.

Data leak protection can take other forms. For example, your organization might rely on a database to supply information for Web pages. At some point, your program will need to access the required database record, extract the data, apply it to a page, and output the result. This setup provides a perfect opportunity to scan for forbidden words, such as the name of a new secret project, during the extraction phase using regular expression parsing. The “Keeping Unnecessary Characters Controlled” section of Chapter 3 explains how to use data parsing for data input needs—the same principle applies to parsing content for Web pages. Obviously, this form of data leak protection won’t fulfill every need—a smart user that is determined to leak information will find some other words to do it. This limitation is the same reason that spam filters are only partially successful.

Many people complain that digital rights management is a bad thing and it can be a bad thing when used for the wrong purposes. This book doesn’t discuss matters legal, philosophical, or ethical, except when it comes to working with code. Information leaks occur when someone passes data from your Web site to a second person that shouldn’t view it. The data transferal can occur as part of covert information sharing or as an accidental data release as part of an email. If you want to maintain the secrecy of proprietary company information that you must make available on the Internet, make sure you use digital rights management. Even if someone obtains a copy of the file, it’s useless without the password required to open it for viewing.

After you decide to protect the file using some type of encryption (such as password protection for Adobe Acrobat files), you should also use data encryption to transfer the data. The “Implementing Data Encryption” section of the chapter discusses techniques for performing this task in a Web environment. (We discussed the desktop environment in Chapter 7—it helps to read this chapter before you start working with the Web environment.)

Ensuring no one can access your data without permission and then guarding the data through encryption doesn’t accomplish much if you don’t protect the means for obtaining it. The “Creating a Simple System.Web.Security Namespace Program” section of Chapter 13 discusses authentication techniques that especially affect Web applications. For example, “Defining File Security Using the FileAuthorizationModule Class” section, also in Chapter 13, discusses the special requirements for protecting file downloads—an essential part of keeping data leaks under control.




.Net Development Security Solutions
.NET Development Security Solutions
ISBN: 0782142664
EAN: 2147483647
Year: 2003
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net