Ensure that sensitive information in applications is protected

I really don’t know what to think about this one. Microsoft gives the following guidelines: hash and salt passwords, encrypting information. Now this topic is a bit broad, but let’s see it. If you don’t find my post detailed enough, feel free to refer this Patterns & practices article on MSDN.

Our first issue is the connection to a database. The main recommendation is: whenever it’s possible, use Windows Authentication. This has many benefits, including that you don’t need to store authentication information in your application, you don’t need to send this authentication info across the network, etc.

When you cannot use Windows Authentication (so in the cases you use SQL Authentication), you should ensure that you are using the possible least privileged user (and not the sa), with a strong password. When authentication information is sent over the network, always use SSL connection. Also, there are cases when the whole message must be transmitted using SSL (for example, in an online banking application). When you need to store connection strings in a .config file, chose machine.config. This one is in a system directory, and because of this it’s protected heavier. Don’t forget to configure some hardcore ACLs for it.

OK, SQL connection set up, what if we’d like to authenticate a user against a database store? You should follow these guidelines:

  • Store one-way password hashes instead of the password itself
  • Avoid SQL injection when validating users

Sensitive data storage is another issue. By general, data is in the greatest danger when it transmits over unsecure mediums, or when it’s persisted (you store it in a database). In both cases, you should encrypt it. The System.Security.SecureString class is also helpful for you. This class extends the functionality of the string class by encrypting it by default, lets  you declare it as read only, and even better, lets you destroy it, so it’s no longer lingers in the memory, waiting to be collected.

There are many more things to learn here, but this post is only intended as a starting point. Check out the links below and start learning!

Further Readings

Building Secure ASP.NET Applications

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s