开发者

Is there a definitive or idiots guide to implementing strong web security using ASP.Net MVC 2/SQL 2008?

开发者 https://www.devze.com 2023-01-16 06:00 出处:网络
I\'m about to begin building an e-commerce website using c#, ASP.Net MVC 2, IIS7 and SQL 2008.The site will allow users to login, make purchases, and manage their orders.Obviously, there\'s a need for

I'm about to begin building an e-commerce website using c#, ASP.Net MVC 2, IIS7 and SQL 2008. The site will allow users to login, make purchases, and manage their orders. Obviously, there's a need for strong security here. I've been searching around on SO and Google for a single definitive guide that covers enough on security to allow me to...

  1. learn where security needs to be a consideration and...
  2. how to implement it properly on the Windows stack.

This will be my first e-commerce site that I'm building from scratch. Is there a definitive or idiots guide to implementing strong web sec开发者_运维问答urity for all aspects of an e-commerce site using ASP.Net MVC 2/SQL 2008?

Thanks so much in advance for all your help!


"Definitive" and "idiots guide" seem a little mutually exclusive, but here's a few I've seen before that deal with general ASP.NET security and some specifically for MVC:

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication (Microsoft, MSDN)

Developer Highway Code (Security - MSDN - Microsoft UK)

Improving Web Application Security: Threats and Countermeasures (Microsoft, MSDN)

The HaaHa Show: Microsoft ASP.NET MVC Security with Haack and Hanselman (Microsoft Video)

There's also some tutorials on http://www.asp.net/mvc/security about preventing javascript attacks. Basically this boils down to always HTML encoding any output.

As for SQL 2008, normal best practice would be to use Windows Authentication and only grant read/write access to the tables you have to.


Start with OWASP.

OWASP is the authority on Web Application Security. Their list of top ten vulnerabilities is the bible for web security.

Try here for OWASP overview: http://www.owasp.org

And here for the OWASP top ten: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

The latter link shows how to protect against these threats including .Net code.


Please see the MVC Security page on ASP.net.

They have a few good videos and their sample applications have been helpful to me.

0

精彩评论

暂无评论...
验证码 换一张
取 消