Sunday, October 12, 2008

Application Security : The Very Least

When developing applications, security measurements should be thought of upfront. Security is even a greater issue when the application exposes an online data source, transfers sensitive data across the wire, etc. But what happens when a careless developer hard-codes significant security information into the application code, without even obfuscating the application? Well, you WILL get hacked sooner or later. Your system will be misused without you even knowing it, and let's hope you have a backup strategy, because there is a change that your whole database will be erased by malign hacker. Don't you agree?

Analysed App
Connection string is hard-coded into the application code.

Here's what I think you should consider when building application that works over the Internet :

  • Never hard-code any username / password into the application
  • Never store passwords in configuration files.
  • Never connect directly to your database, use a service layer instead. Limit the physical / logical access to your database machine only to the server running the service layer.
  • At least obfuscate the assemblies that contain security related code.
  • Always store encrypted passwords in your database. That goes for application users' password as well. Apply salt to all passwords.
  • Consider using two separate databases for your web site and application.
  • Consider using an ORM for your data access. At the very least use Stored Procedures or parameterized queries if you're directly using ADO.NET.
  • Always use a logging mechanism. Log actions performed by power users. Log unsuccessful login attempts.

Password Validation
Password are stored as clear text. Power-User Validation is hard-coded into the code.

Honestly, the list is so long that I had to limit it to the VERY BASIC rules only, like things you think everyone knows, but as it turned out there are people out there that do not. Even if you do all the above there's a good chance that you still get attacked, but these are the VERY LEAST rules that you should always follow.

Note : Pictures are taken from a real application! Sensitive information are erased to protect the innocent(!).

Submit this story to DotNetKicks Shout it