Ensure that sensitive information in applications is protected
I really don’t know what to think about this one. Microsoft gives the following guidelines: hash and salt passwords, encrypting information. Now this topic is a bit broad, but let’s see it. If you don’t find my post detailed enough, feel free to refer this Patterns & practices article on MSDN.
Our first issue is the connection to a database. The main recommendation is: whenever it’s possible, use Windows Authentication. This has many benefits, including that you don’t need to store authentication information in your application, you don’t need to send this authentication info across the network, etc.
When you cannot use Windows Authentication (so in the cases you use SQL Authentication), you should ensure that you are using the possible least privileged user (and not the sa), with a strong password. When authentication information is sent over the network, always use SSL connection. Also, there are cases when the whole message must be transmitted using SSL (for example, in an online banking application). When you need to store connection strings in a .config file, chose machine.config. This one is in a system directory, and because of this it’s protected heavier. Don’t forget to configure some hardcore ACLs for it.
OK, SQL connection set up, what if we’d like to authenticate a user against a database store? You should follow these guidelines:
- Store one-way password hashes instead of the password itself
- Avoid SQL injection when validating users
Sensitive data storage is another issue. By general, data is in the greatest danger when it transmits over unsecure mediums, or when it’s persisted (you store it in a database). In both cases, you should encrypt it. The System.Security.SecureString class is also helpful for you. This class extends the functionality of the string class by encrypting it by default, lets you declare it as read only, and even better, lets you destroy it, so it’s no longer lingers in the memory, waiting to be collected.
There are many more things to learn here, but this post is only intended as a starting point. Check out the links below and start learning!
I'm a software developer professionalizing in the .NET platform and iOs development. Here you can find my notes for Microsoft certifications.
Everyone who seeks, finds
- .NET (35)
- .NET 70-536 (35)
- Configuration, Diagnostic, Management and Installation Features (6)
- Globalization, Drawing and Text Manipulation (2)
- Improving the Security of a .NET Framework Application (5)
- Interoperability, Reflection and Mailing Functionality (3)
- Serialization and IO Functionality (7)
- Service Processes, Threading and Application Domains (2)
- System Types and Collections (6)
- .NET 70-536 (35)
- ADO.NET (24)
- ASP.NET (68)
- Application Architecture (1)
- ASP.NET 70-562 (44)
- PRO ASP.NET 70-564 (20)
- Design Patterns (10)
- Objective-C (4)
- Personal (4)
- Silverlight (6)
- SQL Server (43)
- 70-433 (27)
- 70-451 (16)
- WCF (8)
- Windows Azure (8)
- WPF (20)