Re: guidelines for secure ASP pages

From: Deleersnyder, Sebastien (sebastien.deleersnyderat_private)
Date: Wed May 02 2001 - 04:16:17 PDT

  • Next message: Luciano Miguel Ferreira Rocha: "Re: Question on dropping privileges"

    There are some interesting articles by Michael Howard on
    http://security.devx.com/bestdefense/default.asp
    Especially the (5) tips on protecting web application against
    data input can be a help.
    I do not know of a 'security checklist' but it could be of
    some use for a developper. But IMHO security should be part
    of the system design based on a threat model related to the
    business.
    It is not a good idea to expose the source, because attackers
    can use these to find vulnerabilities in the code (or the
    passwords if they are hardcoded, which is absolutely not a
    good idea).
    
    regards,
    
    Sebastien
    
    -----Original Message-----
    From: Graham Coles [mailto:graham.coles@RETAIL-LOGIC.COM]
    Sent: Tuesday, May 01, 2001 7:32 PM
    To: SECPROGat_private
    Subject: guidelines for secure ASP pages
    
    
    Someone recently asked me about this - are there any URLs
    or text files that provide a routine checklist of things to be
    avoided when writing web pages using asp (ie not hardcoding
    passwords etc)?
    
    The question was based around not being able to obtain the
    source of an asp page from IIS 4 (NT) - I've seen a number
    of ways around this which I assume have been fixed if all of
    the latest patches have been applied, however is it just a
    really bad idea to assume that unauthorized people won't
    be able to see the source to these pages or does this actually
    work in practice?
    
    --
    Graham Coles
    



    This archive was generated by hypermail 2b30 : Wed May 02 2001 - 12:04:03 PDT