How to Secure Your ASP.NET Web Application?
Website security is not just about the attackers hacking the site and stealing some sensitive data. It is not limited to development only. A secured app always involves various layers of security in the framework, web server, configuration and etc.
Developing an application using ASP.Net is becoming easier because of the developing technology and the environment. Today, many of the complexities are considered by the framework and it allows the users to focus more on the business value and the application instead of considering the technical aspects.
But one thing is certain that unless the developers make security one of their prime focus in the early development cycle, the project manager might simply end up with the application that cannot go live without compromising on the safety issues.
Implementing security is the first step associated with ASP.Net website development. Fixing the software defect after it is launched would cost up to 15 times more that the cost involved in the development phase.
Though securing the application may be a complex task, but it has to be done on a continuous basis. The .NET framework offers reliable features that make it an easy task to secure your web application.
ASP.Net supports various authentication methods, and form authentication is the most commonly used web applications. But the approach is not a secured approach as it sends the user’s credentials in clear text to the server.
Though you might plan to consider using SSL on the site or at least on the login page, but it might be impractical for the commercial web applications to use it. Considering Silverlight on any sensitive page will help to provide encryption of any data that is submitted data. It can be further enhanced with the following:
- 1- Password policy: Use a password policy that uses a strong password, expiration and also automatic locking of user accounts on few unsuccessful login attempts.
- 2- Password hashing: In case you are managing your own authentication store, don’t forget to hash all user passwords.
Data Validation and Page Authorization:
Many small business applications are built as a series of isolated web pages. Designing each page to handle its own functionality and security may work good for any mini application, but this will not work when the concerns are for a larger web application.
The development of the web framework that is to be used by all ASP.Net web pages can help to maintain security in a consistent manner. The framework should be designed to employ data validation security checkpoints upon every user request.
This will allow the application to streamline and also tighten various security aspects throughout the application. The framework should be developed as an isolated component and should be able to do the following functionality:
- 1- Authentication- check that the use is a valid user
- 2- Authorization: ensure that the use has the right to do the current database operation
- 3- Parameter validation: validation of all the parameters that are provided by the user for length, range, type and etc.
- 4- User data: Send back data that the use is only entitled to view
- 5- Database queries: try not to use dynamic SQL queries and only use parameters.
“Though security issues are often neglected, but its importance should never be underestimated. A simple website attack may cost you money, time and potentially your reputation.”