Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Hacking the Code ASP.NET Web Application Security [Electronic resources] - نسخه متنی

James C. Foster, Mark M. Burnett

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید






Code Audit Fast Track



Securing Database Drivers


Limiting the Attack Surface




Has either the software engineering or IT team removed all extraneous drivers before the database reaches a production environment?



Is there a policy in place to periodically check for software security updates and patches?



Securing Database Drivers




Is the database driver(s) you are using set to run in the most secure context available, such as Sandbox mode for Jet drivers?



Is IIS set to record Web server activity?



Are the database drivers recording login attempts?




Securing Databases


Securing the Database Location




Are you using firewalls to restrict access to your application?



Have you evaluated whether you should place the data source in the same environment as the Web server or separated from the Web server behind another firewall?



Ensuring Least Privilege




Do the users, applications, and processes have the minimum required permissions to complete their functions?



Are firewalls restricting the ports available for communication to the smallest required set?



Are you using either IPSec or SSL to restrict which computers can communicate with your database?



Securing the Database




Have you strengthened the sa account’s password?



Have you removed extended stored procedures and netlibs you are not using?



Have you removed all sample databases, sample stored procedures, and sample code from the database before using it in a production environment?




Writing Secure Data Access Code


Connecting to the Data Source




Have you carefully evaluated which authentication method to use and chosen Windows Authentication if feasible?



Are your connection strings protected using encryption and ACLs where applicable?



Have you created and applied roles, groups, and permissions to appropriately restrict the access of your database users?



Preventing SQL Injection




Do the software engineering and programming teams understand the mechanics of an SQL injection attack?



Are there various overlapping mechanisms in the code to prevent SQL attacks, such as escaping and filtering input, use of SqlParameters, and properly processing errors on the server side?



Are there policies in place to periodically research the latest SQL injection attacks to ensure that your code is still protected from new attacks?



Writing Secure SQL




Does query code retrieve the minimum set of required data from the database?



Depending on the needed security of the module, have additional security checks been applied, such as expected result set size or content parameters?



Has the software engineer written code structured to maximize security?



Reading and Writing to Data Files




Has the application’s file system been locked down using both NTFS and IIS permissions?



If your application creates or reads files on the server, is the user prevented from influencing the name of the file created or read?



If your application creates files based on user action, have precautions been implemented to prevent a user from using excessive amounts of disk space?



/ 96