Always a worry...when your applications undergo external security review...

posted on Tuesday, June 15, 2004 9:12 AM

One of the applications I wrote a while ago is currently undergoing a security / privacy audit...god I hate this stuff. Problem is that even with the best intentions, unless you spend trime specifically designing and developing your application from scratch to be secure - it just won't be. So tip for the day - go through your application, anywhere you have an external input (so, for instance user inputs text), do you check for string length, do you filter out html / html encode the output (obviously if you have RequestValidation enabled this bit won't be an issue). What are your password p;olicies like, do you enforce length and strength criteria - do you store the password in plain text in your Db? Anyway, just food for thought (oh, and don't get me started on web.config and Code Access Security policies :-))