Online Security is becoming a big issue and one of the fastest growing industries in the world. Believe it or not most hack jobs are done internally by employees of the company; many companies never admit being hacked or they just don’t know. We learn about these events sometimes years after they happen.

If you are an Internet Engineer here are some tips:
1. Create all your passwords using a strong password generator

2. Have 2 sets of passwords for your ASP.Net login into SQL server. 1 for test/development and 1 for production. If someone internally hacks your system they won’t be able to harm production.

3. Use different passwords for different systems. If you have a test server, production web server, and production SQL server. You should have 3 different passwords.

4. logins into SQL server don’t change very often. Write them down offline in a book or don’t write them down at all. Sometimes it is easier to replace them than to retrieve them. If you keep them in a book make sure the book is under lock. If you keep your passwords in an excel file, then encrypt the excel file from within.

5. Storing passwords for a Visual Studio Web Site should be done outside the solution. Use the registry, file system, or a combination of both. This will require the hacker to access another layer before he can retrieve the value.

6. Always encrypt the login string including the target server:
connectionString="Server=TheServer; Database=MyDB; User Id=MyUser; password= Passw0rd"
As the page executes the string is decrypted on the fly. This will force the hacker to know the decryption algorithm before he can do any harm; even if he can read the registry.

7. pages login into SQL server using credentials from an existing SQL server login. That login needs to have the least amount of privileges in the database. Use "public" and then assign permission per table and stored procedure. Never use the same login for multiple databases. One login per database.

8. Some tables will only require read access like a state drop down for a registration form.

9. Use classes to create the connection string and mix them up to make it confusing. Many hackers move on when the level of difficulty increases.

10. Don’t document how the authentication method(s )works inside the pages. Even when you release documentation to the customer, encryption and sensitive information should be managed in a separate document.

11. If you manage a large web team. Then assign security to only a few key people. All other developers can use classes to communicate with the database. Even if developers print the credentials to the screen, they will never know production system passwords. Before the code is published live, a manager should check what the code does.




Socialize de Tech
Tour de Web
Internet Culture
If you are an Internet Engineer here are some tips that can help you improve your career and sometimes your life.....Introduction A different way of thinking Fitness & Mental Health Personal Goals Your future
Inspiration for this site

Check out some of the sites I admire
© Web Design by Christian Rodriguez | Copyright 2010
Contact: 305.788.2942 | skype: skype.christian.rodriguez