I'm aware this is a fairly controversial viewpoint, I should explain some of my own background as a precursor to my dislike of this. In the bad old days, I was a penetration tester; I ran my own little company which provided this service to a number of customers, my job was to essentially crack / in other ways break web sites and 'other' networks. In my time as a pen tester, one of the most annoying things was flaws which could effect a huge number of sites / installations at the same time, classics were Cisco password flaws, Perl and PHP security flaws and, worst of all, backdoors in Web Applications. So, as time has progressed and I moved more into actually writing applications rather than breaking them I've always been aware that application security systems should not be inherently trusted, while less likely to be flawed than some ad-hoc implementation, that flaw can be potentially more serious since is is almost certain to become widely know and exploited within a very short space of time. That's part of the problem I have with ValidateRequest, it provides a crutch, a shortcut for the lazy developer. OK, it is useful, it blocks any incoming 'html' like request information - and will therefore block many XSS (Cross Site Scripting) attacks which can be pretty serious. Problem is, flaws have already been found in this and the patch is not obvious / easy to find (had you heard of it before?) - so not there's an issue which will effect ALL ASP.NET 1.1 sites which rely on this feature to protect them from XSS attacks. Even worse, how many sites do you think will take additional precautions over and above this to protect their input - do you know if it protects you from SQL Injection attacks, Buffer Overflow attacks and various others (including such gems as simple backdoors, Cookie Hijacking and the like).

My point is, in my view, responsibility for application security should lie with the developer - they should understand and plan for the consequences of choices they make in application design. Read a book like Michael Howard's Writing Secure Code [US] - get to know where the vulnerabilities in your application may lie and compensate for them. In short, don't rely on things like ValidateRequest as your only line of defence - use it by all means, it will stop many things getting through which you may not want - but learn what it actually does and what it doesn't.

For instance, what will you do when you only want certain tags to get through and not others? You may need to look at something like this(I wrote this a while ago - I'm not claiming it's entirely or even partially foolproof - just proof of a concept).

Anyway, views always welcome - how much application security should you delegate to the framework - has anyone else come up with their own little 'security' toys which they use to validate user input?

UPDATE: Forgot to mention, if you're still on IIS 5.0 be sure to check out IISLockdown - you MUST have this installed, it will help you avoid a huge number of security holes, known / future...if you have IIS 6.0 , it's already there but be sure to check out this to avoid any development problems...