# Always a worry...when your applications undergo external security review...

<datetime class="hidden">2006-09-06T00:00</datetime>
<!-- category -- mostlylucidcouk, Imported -->

## 
Always a worry...when your applications undergo external security review... 

posted on Tuesday, June 15, 2004 9:12 AM

One of the applications I wrote a while ago is currently undergoing a security / privacy audit...god I hate this stuff. Problem is that even with the best intentions, unless you spend trime specifically designing and developing your application from scratch to be secure - it just won't be. So tip for the day - go through your application, anywhere you have an external input (so, for instance user inputs text), do you check for string length, do you filter out html / html encode the output (obviously if you have RequestValidation enabled this bit won't be an issue). What are your password p;olicies like, do you enforce [length and strength criteria](http://www.thecodeproject.com/csharp/PasswordDialog.asp) - do you store the password in plain text in your Db?
Anyway, just food for thought (oh, and don't get me started on web.config and Code Access Security policies :-))