Tools And Technologies For A Highly Secure Web Application?
Sep 25, 2010
We're planning to build a web application that needs to be highly secure because a lot of money and reputation is at risk. Therefore I'm looking for tools and technologies that in that endeavor. The tools and technologies should prevent things like SQL injection, cross-site scripting vulnerabilities, remote code execution etc.
Our team has a solid knowledge about such vulnerabilities. But every developer makes mistakes, and a simple mistake shouldn't lead to a security vulnerability. They should be prevented or detected by web application framework, application server, programming language, security library, code analyzer etc.
A simple example: If you insert data into HTML, it needs to be escaped so it's properly displayed and not misused for injecting scripts. Some web application frameworks put this burden on the developers. If they forget the escaping in one place, they've got a security problem. A good tool wouldn't just do the escaping automatically, it would even prevent the developers from doing it forcefully.
I'm not looking for recommendations regarding the firewall (we have a good one), hardening the operating system (that's part of the plan), use of encrypted communication (it will be the only option) and secure authentication (a hardware token will be used). Rather, the recommendations should center around the application server and the web application software to be built.
We also fully understand that writing secure software is more than just technology: It involves knowledgable people, management attention, time and money and software quality processes. So far, this is not the problem and not the focus of this question.
I should mention that we have a certain bias towards Java and .NET.
So what tools and technologies or combinations thereof can you recommend us?
i want to develop an asp.net mobile web application whith Ajax features. i dont khnow whether these technologies are supported in mobile developpement?
what stups should i follow to make such project ( IDE + SDK....) . finally what are free windows mobile emulator ( except Microsoft ones)?
I am using Visual Studio 2008 Pro SP1. Every time I try to access the security tab in Web Application Administration Tools I get this message:
There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store.
The following message may in diagnosing the problem: Unable to connect to SQL Server database.
Suppose I have two threads(Thread1, Thread2) where the threads are accessing the cache for a given object such as in the code below nearly at the same time:
Dim expensiveToGetData = Cache("ExpensiveDataKey") If ExpensiveToGetData is nothing then 'because the cache has expired ExpensiveToGetData = LoadExpensiveDataFromDataSource() Cache("ExpensiveDataKey") = ExpensiveToGetData end If ProcessExpensiveData(ExpensiveToGetData)
Isn't it possible for both threads to load the cache because they both requested data from the cache that was nothing/expired? I've run some tests on a local machine and it seems that the cache is being loaded more than once. Is this a normal pattern?
I have a Web Application (C# pages mixed with ASP.NET and some Javascript pages) on a Windows 2008 Server with IIS 7.0. I have just a few users that will hit this externally (not on the server). So in order for them to get a simple Username/Password form to pop up, what must I do? Could the users Usernames and Passwords just be added to a section in the webconfig file so I could maintain it that way?
I am rather new to asp.net but I have built a couple of apps that do not require users to login. am having some problems moving my secure .net application from my laptop to a production server, however, and I am hoping someone can help me. On my laptop my application's user authentication functions as it should, but when I move my application to a webserver I get an assortment of errors. Forgive me if these questions are a little basic. My first question is this. In a production environment do I move the ASPNETDB.MDF file in the App_Data folder to my SQL server? Is it OK to rename it to something more descriptive?
I am trying to find a solution to control the number of logins on asp.net application. I need to install the application in the client server, and set the number of licences. e.g. only 10 users are allowed to access the app.
Every time someone tries to login I need to check how many user are logged in, compare with the total allowed then authorize that user to proceed.
I tried with Certificate, but I couldn't see where to match the number of logged in users with the max number of allowed user.
Also I would like to use the IP address as identifier, then if I open 3 browser windows, it count only one user logged.
Basically this web application will be sold by licences. We need to control the logins per computer, and not per user, and block logins if the limit of logins are reached.
We need to secure how our web application access our SQL 2008 database on our hosted server. Any pointers where this is covered in detail? We have the following questions:1. right now the network service account runs the application pool containing our application in IIS. Should we define a local windows user account to run this application in IIS 6? Should we switch to Windows authentication?
My web application will be launched through existing thick client applications. When launched, an HTTP POST request will be generated including information like the userID and additional context information (basically stuff like the target user's name, birthday, etc.).
My plan for authentication is for there to be a look-up table in the database. If the username is already there, automatically login the user, but if there is no entry in the database, redirect the user to an initial login page which will be used to create that database entry.
My question is how to secure this against MITM and other security holes. How can the request generated through the thick client be on an SSL connection? Doesn't an SSL connection have to be authenticated with the username (and password) first? And if so, will the additional context information be publicly exposed until the user is logged in?
I have a browser compatibilty problem with https? I have SSL installed and is in usage. Until today morning, my https part is working well. From then, Https is shown as https(with slashed in red color) saying the page has some insecure content. I have not changed any code and suddenly i see this problem in chrome. In IE 8, i see the same problem but on every page, it shows me a popup if i should allow to opne secure and non secure or just secure. Firefox has no issues . It shows correct https without any problem. I am fed up with it searching all over. Why is this happenening for me in Chrome and IE 8.
I have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
Is it possible for us to integrate the junit test cases for an application for which we are developing using the ASP.Net Platform?Since I am from Java j2ee Tech background, have a very less knowledge on .Net Technology
I often come across some nice web sites and I want to know what technologies (PHP, JSP, ASP.NET, etc) are used to build those web sites.The web address of some web sites end with ".aspx", ".php", ".jsp", etc. But some web address do not contains any indicators.Is there any systematic way we can use to know the technologies used by a web site?
I have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
why is this happening as i want all the pages to be secure by SSL.
After logging to the mvc site using a secure connection (https), calling actions using https connection show up with the user logged in but calling actions using http it bahaves as if user didn't log on. Since I need to use a virtual directory for https connections(and can't use that directory for http connection) Https links start with: [URL]
I'm working on a legacy web application - frames and a mixture of html, asp and aspx. The entire site is https. For some strange reason when I hit a specific page I get the magic message that says the Page contains both secure and nonsecure items. (IE obviously doesn't want to tell me what those resources are) I have checked the page that's being loaded and there are absolutely no http://... links - everything is relative links.
I have fired up fiddler and checked what's being requested - everything looks fine. I am completely at wit's end here. I have absolutely no idea why I'm getting this message, but it's completely screwing with the site.
My background is asp.net development and I took part in several projects where developer team was free to choose server-side programming technology (PHP, ASP.NET[Web Forms/MVC], JSP) & free to buy any CMS. Looking backward I realize technology & approach we chose often wasn't the best one. I'll enumerate some projects: One web portal (ASP.NET Web Forms) - Originally It was .Net Nuke every developer knew nothing about & was snobbish enough to learn. Previous team modified Nuke engine the way it couldn't be upgraded (they added rows and relations to standard tables). So we rewrote it from the scratch. Big mistake. We spent a year to achieve previous functionality. Business felt trapped - they could not fire us and could not stand us. Another web portal (ASP.NET Web Forms) - Portal was very specific (trading) so we start developing from the scratch. Everything was fine half a year but as project grew business wanted to see more and more basic functionality (forums, blogs). May be we should wrote lots of modules for standard cms instead of developing from scratch. One specific 5-paged site with massive reporting - ASP.NET MVC and it was ok. Several small specific questionnaires - ASP.NET MVC and it was ok also. There were projects where I had to support legacy web systems and there was no choice. I feel (and it's very subjective) that server-side technologies niches are the following (when you have a choice what to choose):
Standard company sites & blogs/forums/communities (the most part of all web development) - is PHP CMS area (Wordpress, Joomla, Drupal e.t.c.). If team has asp.net background they should choose asp.net CMS (Nuke, Sharepoint) Small / Specific sites - PHP/ASP.NET niche (but if it can grow choose CMS from the very beginning) Intranet company ecosystems - ASP.NET mostly (CMS or not) I know every task can be accomplished with technologies you are most familiar with, but what do you think of nowadays niches? Shall developers use CMS for every site larger than 3 pages as every site functionality tends to grow and there are lots of modules written for us? Even if site looks too specific it's better to write modules for well-known CMS than to write sites from scratch. What is JSP niche?
I worked on NHibernate around 4 years ago, now in one of the project I want to implement it again. Can someone share their experiance about latest tools available to speedup the development of NHibernate.I have used a tool to generate ORM Mapping (I think its name was Puzzle.Net)
I am having a scenario, where i need to decode ASP.NET FormsAuthentication Cookie in other language to accomplish Single Sign-On.
I am having a ASP.NET website, that also has WCF Authentication service. But I have just come know that even Java and PHP Application are also going to use my Authentication Gateway to authenticate user and so enable Single Sing-On.
I am done with the same in .NET application but to perform same in non-.NET techs, I need to decode FormsAuthentication Cookie of browser. FormsAuthentication Cookie are Encrypted so there must exist a algorithm that can decode it or a kind of dll that I can load in Java and read it.
Does anyone know how to convert backend data to a json response using .NET technologies? It'd be nice to have this and use jquery to call some information on the backend.
This is a question for who works with both PHP and ASP.NET/C#/VB.I plan on learning both languages over time, but I am curious in the order you learned both technologies? And Why?Maybe you just chose by time/ease to become good in the language or you just prefer one language over the other.I want to learn both technologies so, if for some reason my projects don't workout, I have a backup plan as a web developer for clients. I would really like to service both sides of the isle, Windows and LAMP
