Security and ASP.NET

1Mar/040

Security and ASP.NET

Julia Lermen has been preparing for a presentation she is giving on ASP.NET security. It’s been an eye opener for her. It usually is for me too. That’s why, even though I know I’m going to have to sit through 30-45 minutes of “check your inputs”, I continue to go to every web security presentation I can. There is always an extra nugget of information that I didn’t know before. If there isn’t, I automatically label the presentation as “a newbie presentation”. “Pre-school security”.

Don’t we all? Isn’t it what we were told to do. ASP.NET protects the web.config file so nobody can browse to it and see your connection strings, logins and passwords and whatever else you have hidden in there. Right?

But guess what, that’s just not good enough anymore! Hackers who know how to get into your webserver and get around asp.net can get at the web.config file.

That’s kind of like the old mantra, “If you’re running untrusted code under the root account on your box, it’s not your box anymore”.

There are lots of things you can do to mitigate the severity of a compromised database not storing any passwords in clear text and encrypting personal information (CC numbers and that sort) is a start. Sequestering the DB’s on a separate subnet behind a firewall is another idea.

Whenever I think about the security necessary for my application or system, I think about Dana Epps 8 rules of security.

http://silverstr.ufies.org/blog/archives/000468.html