When building a new application, be it Windows Form or ASP.NET, security is an important
factor to consider from the very beginning. There are hundreds of books and thousands
of websites helping you to secure your application, but they all seem to share one
annoying thing; they make security solutions too complex. Security is a complex issue
to address and that usually requires complex solutions so what is the problem?
The problem
In the myriads of applications out there, only a very small percentage of those are
built with security in mind. The rest of them are pretty much open for any hacker
to break. That’s an overstatement, but it illustrates the point. Because we have learned
through books and articles that security is complex and difficult, we rarely give
it the time it deserves.
Another big problem is that security is one of the most boring things to do as a developer, because it does not add any features or functionality to the system and it is very
hard to measure the value of. Both in terms of money spend on the effort and on the
likelihood of ever being attacked.
Right, that narrows the problem down into two things. It is complex and boring. Not
a developer’s favorite cocktail. Of course, we cannot just leave it at that without
doing some level of security even though we basically, as developers, don’t really
want to.
The solution
Let’s break the problem down into the two main issues starting with the complexity.
The obvious solution to complex problems is to simplify it. It is rarely as simple
as it sounds but it is absolutely possible. What I mean is, that complexity is typically
found in the last 20% of the problem, but that should not stop us from doing the first
80%. More on that later.
Security is boring so we have to find a way to make it more interesting. Again, let’s
see how much of the boring parts of security implementation can be eliminated. Don’t
cut back on social security number encryption or something like that.
Alright, now security is simple and interesting, but at what cost? That depends on
two things – the type of project and the level of security you are planning on implementing.
If you’re building an e-commerce site or banking software, you don’t want to cut back
on security at any cost, but for the simple standard website the cost is free because
you probably haven’t done much security planning and therefore doesn’t need to make
cuts in the first place.
Something is more
The saying “less is more” doesn’t really apply for security, but neither does “more
is more”. You usually want the right level of security at the right price – no more
and no less. We can come much closer to that now after we’ve made security simple
and interesting. If you haven’t thought about implementing any level of security, you should at least do something. Not the whole nine yards, not the first 80%, just
do something. Something is more than nothing and nothing can become a dangerous affair.
Keep it simple and keep it interesting, otherwise you won’t get anything done at all.
Even the smallest things count and they are free to do because they hardly take any
time to implement.
The bottom line is that security is a very important thing and we cannot afford to
ignore it. If you find it boring and complex then just do something that can be of
interest to you and keep it simple to begin with. Its probably all you need for your
application anyway.
Simple .NET security tricks
Validate
strong passwords in C# and ASP.NET
Simple
and efficient password encryption in .NET
Securing
ViewState efficiently and simple
Generate
random password in C#
Remove
HTML tags from a string
If you have written or know about a good article on simple security implementation, let me know and I'll add it to the list.
* Only $4.95/month ASP.NET & Windows 2008 + IIS 7 Hosting! FREE SQL Included