1

I have read about SecureString to avoid cleartext storage of sensitive information in memory, to protect against attacks on memory, garbage heap or page file. However based on this post it seems like this is not beneficial in ASP .NET.

I also saw this answer which suggest using an array as this does not have the immutability issues which a System.String has. I considered using a ByteArray instead to store my data. I took a look at the code of the ByteArrayModelBinder but noticed that this is using a string internally before converting to a ByteArray. Per my understanding this is not useful either as it is already written insecurely to memory by the model binder.

What is the best way to handle this securely in ASP .NET MVC? FWIW I understand that an attacker will require significant permissions to perform such an attack however I will have to address this issue.

Jeroen
  • 3,443
  • 2
  • 13
  • 15
  • This might be better asked on [Software Engineering](https://softwareengineering.stackexchange.com/) – gabriel.hayes Jan 06 '20 at 22:54
  • See [Is there any benefit to using SecureString in ASP.NET](https://stackoverflow.com/questions/4463821/is-there-any-benefit-to-using-securestring-in-asp-net) and [How does one prevent passwords and other sensitive information from appearing in an ASP.NET dump?](https://stackoverflow.com/questions/9964281/hows-does-one-prevent-passwords-and-other-sensitive-information-from-appearing-i). The latter is a possible duplicate. – John Wu Jan 06 '20 at 22:59

0 Answers0