1

I am creating an ASP.NET MVC 3 web application which is used for looking up very private data at home. The data is stored in a database on the server, on which the IIS-Server is running. Since I have finished most parts of the actual programming, I want to make the application as secure as possible. I am already using https, but I guess this won't be enough. What I'm looking for is something like... sending the data requested encrypted over the wire and decrypt it at the client locally, or something like that.

Anyone, ideas?

Kevin Suppan
  • 232
  • 2
  • 18
  • 4
    Web application security is a massive field. No single thing, or simple combination of things, are going to "make you secure". Do a lot of research and ensure that principles and processes are carefully followed. One good place to start, regarding your own source code is the OWASP top ten https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – Cheekysoft Dec 28 '11 at 14:29

4 Answers4

6

The best resource I've found about web security with ASP.NET is the below, written by Troy Hunt:

OWASP TOP 10 for .NET developers

Absolutely priceless!

He even made an ebook out of it that you can download as a pdf:

ebook

Yag
  • 546
  • 2
  • 7
  • 12
3

What I'm looking for is something like... sending the data requested encrypted over the wire and decrypt it at the client locally, or something like that.

That's exactly what SSL is designed to do.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • Well, I was told that SSL isn't secured ENOUGH... Is there any other way to make it even more secure? I am busted if there's leaked any data =) – Kevin Suppan Dec 28 '11 at 13:06
  • 3
    @HaraldJoerg, WOW, dunno by who you were told this but if this is the case we might all consider stop doing online banking as all banks use it. And, you know, banks deal with money so they have interest in having secure websites. – Darin Dimitrov Dec 28 '11 at 13:06
  • What he was told probably referred to adding some login screen and making sure his site is not vulnerable to sql injection attacks and the like. – Mike Nakis Dec 28 '11 at 13:07
  • @MikeNakis, well, we cannot know what he was told. We cannot read other people's minds. At least I can't. – Darin Dimitrov Dec 28 '11 at 13:08
  • 1
    Well, may he was reffering to this: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ – Giedrius Dec 28 '11 at 13:17
  • MikeNakis: yeah, sql injections are one of the things I want to avoid. I am quite new to web applications since I only made desktop applications or small webpages before. Thanks! Giedrius: Nice. – Kevin Suppan Dec 28 '11 at 15:47
2

You might want to read about XSS (cross site scripting) and SQL Injection. SSL is secure enough to transport your data so that it won't be able to be read if intercepted, but it doesn't mean that your site can't be hacked.

What makes an input vulnerable to XSS?

What is SQL injection?

Community
  • 1
  • 1
MattW
  • 12,902
  • 5
  • 38
  • 65
-1

If SSL on it's own isn't 'good' enough, how about looking at Client Certificates as well ?

K. Bob
  • 2,668
  • 1
  • 18
  • 16