Twenty DONTS for ASP Developers

Networking/Security Forums -> Programming and More

Author: chrisLocation: ~/security-forums PostPosted: Fri Jul 05, 2002 12:56 am    Post subject: Twenty DONTS for ASP Developers
Firewalls block hackers from directly connecting to your network shares. Windows administrators keep their systems up-to-date with the latest software patches to thwart worms such as Nimda and Code Red. And user passwords are stronger than ever. But are we secure yet? While the situation is much better than it was just a couple years ago, many companies are still quite vulnerable to a number of attacks. Blocking ports and installing patches has not stopped hackers, it has just forced them to find new ways to break in. And chances are, the first place they are going to look is your Web application.

The problem is that while you may have a team of experts to secure your network, you are still dependent on your developers to secure your Web application. Are they properly trained to take on the most sophisticated hackers in the world? Are they at least good enough to defend themselves from a script kiddie who just read a tutorial on SQL injection? Many companies are now realizing that their code is not as secure as it should be.

This article will offer twenty tips for ASP programmers. These are not tips on how to secure a Web application, they are twenty things that ASP developers should avoid doing in order to develop secure Web applications. Unfortunately they address twenty common mistakes that we see over and over again on Web applications.

Thinking securely is often an unnatural transition for programmers. After years of learning how to make things easy for users, you must now consider how to make things hard for hackers. As you balance features, schedule, and budget, you must also keep hackers from using your code against you. While there is much to do when building a secure Web application, you can at least start with these twenty things you shouldn't do. So take this list and with it take hard look at your ASP source. You might be surprised what you find.

Author: haydiesLocation: Hades PostPosted: Wed Oct 23, 2002 7:21 pm    Post subject:
You can sum most of that up with

Don't trust a user.

One thing though, its unfair to say don't trust your DB epspecialy if the data came from the user.

If the data isn't from the user then it never changes so its safe or it dosn't work.

As to user input, well, every thing else says check thats got nothing bad in it, so even that is safe once in the DB

Rule 1 of the developers hand book: Users are all idiots, so never ever trust any thing to them.

One other thing, a lot of this isn't just security, its stopping bugs. Leave a single ' or " in the text, then try to insert it in to the DB....

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon Dec 16, 2002 2:17 pm    Post subject:
Another good article here with SQL injection and Cross site scripting examples and explanations:

Networking/Security Forums -> Programming and More

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group