1 / 38

Writing Secure Code for ASP

Speaker.Bio.ToString(). CTO and co-Founder of Corzen, IncMicrosoft MVP and INETA Speaker International Conference Speaker for 9 Years Wrote a few books on databases and developmentCo-moderator

xue
Download Presentation

Writing Secure Code for ASP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Writing Secure Code for ASP .NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA)

    2. Speaker.Bio.ToString() CTO and co-Founder of Corzen, Inc Microsoft MVP and INETA Speaker International Conference Speaker for 9+ Years Wrote a few books on databases and development Co-moderator & founder of NYC .NET Developers Group http://www.nycdotnetdev.com Former CTO of Zagat Survey Steve is cool.Steve is cool.

    3. Agenda Why Care? Best Practices for Writing Secure Code Query String and Input Validation SQL Injection Storing Secret Data Exception Handling XSS and HTML Management

    4. What we won’t cover Administrative Security Authentication and Authorization from an Admin level Code Access Security from an Admin level Cryptology

    5. Agenda Why Care? Best Practices for Writing Secure Code Query String and Input Validation SQL Injection Storing Secret Data Exception Handling XSS and HTML Management

    6. Writing Secure Code Developers usually think that security is an administrative problem, not a coding problem While several security issues are administrative in nature, you can write secure code to protect your application Some simple changes to your coding style can result in massive security holes closed

    7. Agenda Why Care? Best Practices for Writing Secure Code Query String and Input Validation SQL Injection Storing Secret Data Exception Handling XSS and HTML Management

    8. Input and Query String Validation All user input is evil! Not properly validating user input can lead to: SQL Injection XSS (Cross Site Scripting)

    9. Do Not Trust User Input Validate all input Guilty until proven innocent: assume all input is bad until you prove otherwise Look for valid data and reject everything else Don’t assume that your client validations were applied, revalidate on the server (a hacker can bypass your client scripting) Avoid Query Strings altogether if possible Consider all user input as harmful until proven otherwise. Look for valid input and deny everything else. Do not do the opposite and look for invalid data, reject it, and then let everything else in. Hackers can circumvent client-side validation. Consider performing validation often and close to the threats. For example, validate data on the server before committing it to a database. Invalidate input that is too large. Invalidate input that contains dangerous characters or keywords, such as scripting elements (<script>, <object>), reserved SQL characters and keywords (- -, INSERT, xp_cmdshell), or file traversal characters (..\). Use the mantra: Constrain, Reject, and Sanitize. One of the most powerful ways to constrain data input is through validation controls and regular expressions. The example regular expression ( \w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)* ) checks that the input string is of the correct form for an Internet e-mail address.Consider all user input as harmful until proven otherwise. Look for valid input and deny everything else. Do not do the opposite and look for invalid data, reject it, and then let everything else in. Hackers can circumvent client-side validation. Consider performing validation often and close to the threats. For example, validate data on the server before committing it to a database. Invalidate input that is too large. Invalidate input that contains dangerous characters or keywords, such as scripting elements (<script>, <object>), reserved SQL characters and keywords (- -, INSERT, xp_cmdshell), or file traversal characters (..\). Use the mantra: Constrain, Reject, and Sanitize. One of the most powerful ways to constrain data input is through validation controls and regular expressions. The example regular expression ( \w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)* ) checks that the input string is of the correct form for an Internet e-mail address.

    10. Ways to Validate Input Client Side: Validation Controls Server Side: Regular Expressions (RegEx) are your friend Validate for TLRF: Type checks Length checks Range checks Format checks

More Related