1

I am creating an ASP.NET MVC 3 web application which is used for looking up very private data at home. The data is stored in a database on the server, on which the IIS-Server is running. Since I have finished most parts of the actual programming, I want to make the application as secure as possible. I am already using https, but I guess this won't be enough. What I'm looking for is something like... sending the data requested encrypted over the wire and decrypt it at the client locally, or something like that.

Anyone, ideas?

Improve this question
1
  • 4
    Web application security is a massive field. No single thing, or simple combination of things, are going to "make you secure". Do a lot of research and ensure that principles and processes are carefully followed. One good place to start, regarding your own source code is the OWASP top ten owasp.org/index.php/Category:OWASP_Top_Ten_Project Commented Dec 28, 2011 at 14:29

4 Answers 4

Reset to default
6

The best resource I've found about web security with ASP.NET is the below, written by Troy Hunt:

OWASP TOP 10 for .NET developers

Absolutely priceless!

He even made an ebook out of it that you can download as a pdf:

ebook

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

What I'm looking for is something like... sending the data requested encrypted over the wire and decrypt it at the client locally, or something like that.

That's exactly what SSL is designed to do.

Improve this answer

6 Comments

Well, I was told that SSL isn't secured ENOUGH... Is there any other way to make it even more secure? I am busted if there's leaked any data =)
@HaraldJoerg, WOW, dunno by who you were told this but if this is the case we might all consider stop doing online banking as all banks use it. And, you know, banks deal with money so they have interest in having secure websites.
What he was told probably referred to adding some login screen and making sure his site is not vulnerable to sql injection attacks and the like.
@MikeNakis, well, we cannot know what he was told. We cannot read other people's minds. At least I can't.
Well, may he was reffering to this: theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl
|
2

You might want to read about XSS (cross site scripting) and SQL Injection. SSL is secure enough to transport your data so that it won't be able to be read if intercepted, but it doesn't mean that your site can't be hacked.

What makes an input vulnerable to XSS?

What is SQL injection?

Improve this answer

Comments

-1

If SSL on it's own isn't 'good' enough, how about looking at Client Certificates as well ?

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.