Register
|
Login
submit
Home
Company
Services
Technology
Process
Why Kazzlo?
Portfolio
Contact Us
Certain features on Kazzlo will not work properly with your browser because it is too old. We suggest that you update your browser to a more modern version if you wish to take advantage of the many features that kazzlo.com has to offer.
click here.
Certain features on Kazzlo will not work properly with your browser because it is too old. We suggest that you update your browser to a more modern version if you wish to take advantage of the many features that kazzlo.com has to offer.
click here.
Security Auditing and Vulnerability Scan Services
When developing a software application, one must consider security issues during every phase of the development process. Security should not be an afterthought that's only addressed at the end of project. Unless security was a focal point from the very beginning, you should probably be questioning whether your business organization's or nonprofit's web application is secure.
Kazzlo specializes in developing and deploying secure Microsoft based web applications. We can perform a code audit or a vulnerability scan of your live site. Give us a call or send us an email if you'd like to discuss options.
Here's a list of security considerations that Microsoft recommends when developing ASP.NET 2.0 applications:
General Design Considerations
Security decisions should not rely upon client-side validations; they are made on the server side.
The website is partitioned into public access areas and restricted areas that require authentication access.
Navigation between public and restricted areas should not flow sensitive credentials information.
The identities used to access remote resources from ASP.NET web applications are clearly identified.
Mechanisms are in place to secure credentials, authentication tickets, and other sensitive data.
A secure approach to exception management has been identified.
The site has granular authorization checks for pages and directories.
Web controls, user controls, and resource access code are each partitioned in their own assemblies.
Input / Data Validation
Do not rely upon ASP.NET request validation.
Validate input data for length, range, format, and type.
Validate input from all sources like QueryString, cookies, and HTML controls.
Do not rely on client-side validation.
Avoid user-supplied file name and path input.
Do not echo untrusted input.
If you need to write out untrusted data, encode the output.
Forms Authentication
Use membership providers instead of custom authentication.
Use SSL to protect credentials and authentication cookies.
If you cannot use SSL, consider reducing session lifetime.
Validate user login information.
Do not store passwords directly in the user store.
Enforce strong passwords.
Protect access to your credential store.
Do not persist authentication cookies.
Restrict authentication tickets to HTTPS connections.
Consider partitioning your site to restricted areas and public areas.
Use unique cookie names and paths.
Windows Authentication
Choose Windows authentication when you can.
Enforce strong password policies.
Authorization
Use URL authorization for page and directory access control.
Configure ACLs on your website files.
Use ASP.NET role manager for roles authorization.
If your role lookup is expensive, consider role caching.
Protect your authorization cookie.
Code Access Security
Consider code access security for partial trust applications.
Choose a trust level that does not exceed your application's requirements.
Create a custom trust policy if your application needs additional permissions.
Use Medium trust in shared hosting environments.
Data Access
Encrypt your connection strings.
Use least-privileged accounts for database access.
Use Windows authentication where possible.
If you use Windows authentication, use a trusted service account.
If you cannot use a domain account, consider mirrored accounts.
When using SQL authentication, use strong passwords.
When using SQL authentication, protect credentials over the network and in configuration files.
Validate untrusted input passed to your data access methods.
When constructing SQL queries, use type safe SQL parameters.
Avoid dynamic queries that accept user input.
Exception Management
Use structured exception handling.
Do not reveal exception details to the client.
Use a global error handler to catch unhandled exceptions.
Impersonation / Delegation
Know your tradeoffs with impersonation.
Avoid calling LogonUser.
Avoid programmatic impersonation where possible.
If you need to impersonate, consider threading issues and clean up appropriately.
Avoid losing impersonation tokens.
Parameter Manipulation
Do not make security decisions based upon parameters accessible on the client side.
Validate all input parameters.
Avoid storing sensitive data in ViewState.
Encrypt ViewState if it must contain sensitive data.
Sensitive Data
Avoid plaintext passwords in configuration files.
Use platform features to manage keys where possible.
Do not pass sensitive data from page to page.
Protect sensitive data over the wire.
Do not cache sensitive data.
Session Management
Do not rely upon client-side state management options.
Protect your out-of-process state service.
Protect SQL Server session state.
Auditing and Logging
Use health monitoring to log and audit events.
Instrument for user management events and unusual activity.
Instrument for significant business operations.
Consider using an application-specific event source.
Protect audit and log files.
Deployment Considerations
Use a least-privileged account for running ASP.NET applications.
Encrypt configuration sections that store sensitive data.
Consider your key storage location.
Block protected file retrieval by using HttpForbiddenHandler.
Configure the MachineKey to use the same keys on all servers in a web farm.
Lock configuration settings to enforce policy settings.
Communication Security
Consider SSLv3 or TLS vs. earlier SSL versions or IPSec.
Optimize pages that use SSL.
Why Kazzlo International?
Large Team of Highly-Skilled Developers
100s of Successfully Completed Projects
Agile or Document-Driven Development
Offshore Labor with U.S. Project Manager
Highly Competitive Rates
Comprehensive Service Agreements
Detailed Project Status & Time Tracking
Please call us or
email us
today to see what we can do for you.
Recommended Books
Here are a few recommended books about web security from a developer's perspective:
Home
|
Company
|
Contact Us
|
Portfolio
|
Process
|
Services
|
Technology
|
Books
|
Magazines
|
Software
|
Why Kazzlo?
© 2017 Kazzlo International, LLC. All Rights Reserved. View our
Privacy Policy
and
Terms of Use
.
An AJAX error has occurred while processing the data
