There are some interesting articles by Michael Howard on http://security.devx.com/bestdefense/default.asp Especially the (5) tips on protecting web application against data input can be a help. I do not know of a 'security checklist' but it could be of some use for a developper. But IMHO security should be part of the system design based on a threat model related to the business. It is not a good idea to expose the source, because attackers can use these to find vulnerabilities in the code (or the passwords if they are hardcoded, which is absolutely not a good idea). regards, Sebastien -----Original Message----- From: Graham Coles [mailto:graham.coles@RETAIL-LOGIC.COM] Sent: Tuesday, May 01, 2001 7:32 PM To: SECPROGat_private Subject: guidelines for secure ASP pages Someone recently asked me about this - are there any URLs or text files that provide a routine checklist of things to be avoided when writing web pages using asp (ie not hardcoding passwords etc)? The question was based around not being able to obtain the source of an asp page from IIS 4 (NT) - I've seen a number of ways around this which I assume have been fixed if all of the latest patches have been applied, however is it just a really bad idea to assume that unauthorized people won't be able to see the source to these pages or does this actually work in practice? -- Graham Coles
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 12:04:03 PDT