practicesexamples

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to HomePage


"Practices at a Glance" Samples from Improving Web Application Security

Source: http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMGlance.asp
* *How to write secure managed code. * Use strong names to digitally sign your assemblies and to make them tamperproof. At the same time you need to be aware of strong name issues when you use strong name assemblies with ASP.NET. Reduce your assembly attack profile by adhering to solid object oriented design principles, and then use code access security to further restrict which code can call your code. Use structured exception handling to prevent sensitive information from propagating beyond your current trust boundary and to develop more robust code. Avoid canonicalization issues, particularly with input file names and URLs. For information about how to improve the security of your managed code, see Chapter 7, "Building Secure Assemblies." For more information about how to use code access security effectively to further improve security, see Chapter 8, "Code Access Security in Practice." For information about performing managed code reviews, see Chapter 21, "Code Review."

* *How to handle exceptions securely. * Do not reveal internal system or application details, such as stack traces, SQL statement fragments, and so on. Ensure that this type of information is not allowed to propagate to the end user or beyond your current trust boundary. Fail securely in the event of an exception, and make sure your application denies access and is not left in an insecure state. Do not log sensitive or private data such as passwords, which could be compromised. When you log or report exceptions, if user input is included in exception messages, validate it or sanitize it. For example, if you return an HTML error message, you should encode the output to avoid script injection. For more information, see the "Exception Management" sections in Chapter 7, "Building Secure Assemblies," and in Chapter 10, "Building Secure ASP.NET Pages and Controls."

Examples of Practices at a Glance

* Security Practices at a Glance: .NET Framework 1.1: http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMGlance.asp
* Performance Practices at a Glance: .NET Framework 1.1: http://msdn.microsoft.com/library/en-us/dnpag/html/ScaleNet-AtGlance.asp


Return to HomePage
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities