Web Application Tasks
- J.D. Meier,
Prashant Bansode, Paul Enfield
Task lists are a compilation of expected activities of customers with this technology. We attempt to determine the areas that will likely need the most guidance and prioritize them here.
- Auditing and Logging
- Code Access Security
- Data Access
- Exception Management
- Session Mgmt
Auditing and Logging
- How to choose a store for auditing and logging data.
- How to identify operations and events to be logged.
- How to identify information to be logged.
- How to protect data stored in Azure storage.
- How to retrieve and archive log data.
- How to handle log failures.
- How to avoid storing sensitive information in log files.
- How to partition logged data between instances of roles.
- How to identify trust boundaries within Web application layers for authentication.
- How to use windows authentication in a web app.
- How to use forms authentication in a web app.
- How to manage user accounts securely.
- How to map a windows login id to claims token.
- How to build a basic Identity provider.
- How to combine multiple claims from separate providers into single token.
- How to authenticate using Windows Live ID.
- How to authenticate mobile users.
- How to cap login retries to prevent brute force attacks.
- How to identify trust boundaries within the Web application layers for authorization.
- How to decide granularity of authorization settings.
- How to use resource authorization.
- How to use URL authorization.
- How to use roles authorization.
- How to map Live ID’s to roles or claims.
- How to use a remote role store from a cloud STS.
- How to expose a local role store to a remote STS.
- How to ensure Least Privileged implementation.
- How to use ACS for creating claims.
- How to map claims from multiple enterprises to your application required claims.
Code Access Security
- How to use code access security for constraining your web application.
- How to choose trust levels for your web application.
- How to use partial trust in your web application.
- How to create custom trust policy for your web application.
- How to use code access security in hosting scenarios.
- How to choose protocol, security and communication-style for communication between web application layers.
- How to secure sensitive data that is sent across the network.
- How to choose between message security and transport security.
- How to secure inter-role (IPC) comm.
- How to handle interruptions in access to cloud applications.
- How to interact with non cloud applications that require fixed IP address.
- How to connect to a DB via integrated security
- How to connect to DB via Standard SQL security
- How to secure Azure SQL db login (AuthN)
- How to secure Azure SQL db access (AuthZ)
- How to secure your application from SQL injection.
- How to encrypt your connection strings.
- How to use least-privileged accounts for database access.
- How to choose authentication option for data access.
- How to validate un-trusted input passed to your data access methods.
- How to choose exception management strategy.
- How to scrub exception message for secure exception handling.
- How to deal with sensitive information when handling the exception.
- How to deal with unhandled exceptions
- How to choose a state store.
- How to identify the data to be stored in session store.
- How to handle session state in a single Web server scenario.
- How to handle session state in web farm scenario.
- How to secure your session store
- How to identify trust boundaries within Web application layers for validation.
- How to design your validation strategy to constrain, reject, and sanitize malicious input.
- How to efficiently and securely validate input data.
- How to secure Ajax validation.