18.1. Web Application Security Threats Overview
The focus throughout the previous chapters was how to best use and implement the different security features provided by ASP.NET 3.5, with its core based on .NET 2.0, and Internet Information Services 7.0. The major topics were as follows:
How ASP.NET can have control on a request from its early entrance into IIS 7.0 new integrated mode
How to best use the Code Access Security modes to give or deny permissions from an executing application
How to protect sensitive sections of a web.config configuration file, how to use Forms and Windows Authentication modules to authenticate users accessing your application
How to use URL authorization modules in ASP.NET and IIS to authorize users and make sure they can access resources that have permissions on them
Many other important security features to implement and follow to build a more secure web application.
The discussion has always been on how to use the out-of-the box security features in ASP.NET and IIS 7.0 for a more secure and robust application. However, there are security threats and attacks that have no direct corresponding modules to use in ASP.NET to protect against them. It is the role of the developer to protect against the many threats using the ASP.NET 3.5 and .NET 3.5 Framework.
For instance, most of the important threats that an application might face is the improper input validation. Developers, who depend only on the client-side input validation through the use of ASP.NET ...
Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.