An extremely secure ASP.NET application is having to be written at my work and instead of trawling through the Internet looking for best practices I was wondering as to what considerations and generally what things should be done to ensure a public web application is safe.
Of course we’ve taken into consideration user/pass combinations but there needs to be a much deeper level than this. I’m talking about every single level and layer of the application i.e.
- Using URL rewrites
- Masterpages
- SiteMaps
- Connection pooling
- Session data
- Encoding passwords.
- Using stored procedures instead of direct SQL statements
I’m making this a community wiki as there wouldn’t be one sole answer which is correct as it’s such a vast topic of discussion. I will point out also that this is not my forte by any means and previous security lockdown has been reached via non-public applications.
That’s a bigger toppic than I think you perhaps realise. The best advice is to get someone that already knows who can advise you. Failing that I would start by reading the Microsoft document ‘Improving Web Application Security: Threats and Countermeasures‘ but be warned that runs to 919 printed pages.