This project is read-only.

Web Application Security Questions

- J.D. Meier, Prashant Bansode, Paul Enfield.

These questions will ultimately be factored into the Q&A sections of the guide.

Hot Spots

  • Auditing and Logging
  • Authentication
  • Authorization
  • Code Access Security
  • Communication
  • Data Access
  • Exception Management
  • Session Mgmt
  • Validation

Auditing and Logging

  • What's new in Hosted Web Application in terms of Auditing and Logging?
  • What all security events do health monitoring feature logs by default?
  • How do I instrument my application for security?
  • How do I protect audit and log files?
  • How do I retrieve logs for hosted web applications?
  • How do I archive log files for hosted web applications?
  • How do I partition logged data between instances of my roles?

Authentication

  • What’s new in Hosted Web Applications in terms of authentication?
  • How do I decide my Authentication strategy for Hosted Web Application?
  • How and when do I use Forms Authentication for Hosted Web Application?
  • How and when do I use Windows Authentication for Hosted Web Application?
  • How and when do I use Windows Live ID Authentication for Hosted Web Application?
  • How do I authenticate mobile users?
  • How do authenticate users from multiple Active Directory domains?
  • How do I protect user information and user account store?
  • How do I manage user accounts securely?
  • How do I protect passwords in user store?
  • What are the issues with Authentication in multiple instances of web role?
  • How do I implement single sign on in hosted web applications?

Authorization

  • What's new in Hosted Web Applications in terms of Authorization?
  • What is Claims-based authorization model?
  • What's the difference between Role-based and Claims-based Authorization?
  • How and when do I use Roles-based Authorization?
  • How and when do I use Claims-based Authorization?
  • How do I map user identity to required claims?
  • How do I transfer a set of claims to required set of claims (claims tranbsition)?
  • How do I protect Security Token (Claims Token)?

Code Access Security

  • What's new in Hosted Web Application in terms of Code Access Security?
  • How do I use Code Access Security with Hosted Web Application?
  • How do I create a custom trust level for Hosted Web Application?
  • What are the permissions at the various trust levels?
  • How do I write partial trust applications?
  • How do I write full trust applications?

Communication

  • How do I choose protocol for communicating between hosted web application layers?
  • How do I protect sensitive data exachnged between client and the hosted web application?
  • What’s the difference between transport security and message security?
  • How and when do I use transport security?
  • How and when do I use message security?

Data Access

  • How do I protect the connection strings?
  • What authentication options are available for data access?
  • How do I connect database using standard SQL security?
  • How do I connect to database using integrated security?
  • How to protect Azure Authentication and Authorization?
  • How do I validate inputs to the data access methods?
  • How do I manage data (back-up, recovery etc)?
  • How do I protect data in Hosted Web application?

Exception Management

  • How do I handle exceptions securely?
  • How do I prevent detailed errors from returning to the client?
  • How do I deal with sensitive information when handling the exception?
  • How do I deal with unhandled exceptions?
  • How to scrub exception message for secure exception handling?
  • How do I setup a global exception handler for my application?
  • How do I enable my ASP.NET application to write to new event source?

Session Mgmt

  • What state store options are available for hosted web application?
  • How do I choose a state store for my web application?
  • How do I identify the data to be stored in session store?
  • How do I secure my session store?
  • How do I handle session store in multi-instance scenario?

Validation

  • What are the types of input I need to validate in my hosted web application?
  • How do I validate input in server-side controls?
  • How do I validate input in HTML controls, QueryString, cookies, and HTTP headers?
  • What is cross-site scripting and how do I protect my hosted web application from it?
  • What is SQL injection and how do I protect my application from SQL injection attacks?
  • How do I secure Ajax validation?



Last edited Sep 8, 2009 at 10:35 PM by paulenfield, version 1

Comments

No comments yet.