Re: Web Application Security
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 09/18/04
- Next message: Karl Levinson [x y] mvp: "Re: anyone?"
- Previous message: ËﳤÃ÷: "Re: Passwords"
- In reply to: Nipz: "Web Application Security"
- Next in thread: Jeff Cochran: "Re: Web Application Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 18 Sep 2004 07:42:54 -0400
This doesn't directly answer your question, but may be useful anyways:
www.sqlsecurity.com
www.owasp.org
www.microsoft.com/technet/security
You might get much better answers asking these questions in a newsgroup for
your specific product, e.g. .NET and presumably SQL. I think more
programmers tend to hang out in those newsgroups.
You also might need info from books due to the depth and complexity of the
topic. Secure Coding from MS Press, and books like Hacking Web Apps Exposed
or the similar Stuart McClure book are probably recommended.
"Nipz" <Nipz@discussions.microsoft.com> wrote in message
news:230721C6-B2C8-40C2-B134-005DA074E67C@microsoft.com...
> Hi,
> We are developing a web application with .NET. I have read some articles
> from microsoft, but I am still unclear about how to go about ensuring
> security.
> 1) Do we have to have Database Roles mapped to Database user's to ensure
> security?
> * if we had one admin account to a specific database and then validated
> users from application level security would it be a bad idea?
>
> 2) How can we do row level tracking?
> i.e: Say we have Table A that can accessed from user A & User B. But User
A
> can access all records on that while user B can access some records. How
do
> we achieve that? We figured we need to maintain a Access Matrix table in
the
> DB.
> For example, say like Table A row 3 can be accessed by emp id 1 &2 and
> say like Table B row 4 can be accessed by emp id 1.
> But this really increases complexity and might bring down performance and
> maintainablity as such.
>
> 3) If we do role based (i.e: RoleA-> Can access TableA,TableB RoleB->can
> access TableC,TableD and there is user1 with ROLEA and user2 with ROLEB)
from
> sql server how should we map this to the application. Should the
application,
> pass user name and password and assume that identity, then when a DB call
> failed throw back a forrmatted exception to the user. But, then in this
> instance application doesn't know pre hand that information. ( I Assume
that
> there is no way without an admin password applicatioin can query and get
user
> name/password from SQL server).
> So how should we go about it?
>
> Thanks in advance.
>
>
- Next message: Karl Levinson [x y] mvp: "Re: anyone?"
- Previous message: ËﳤÃ÷: "Re: Passwords"
- In reply to: Nipz: "Web Application Security"
- Next in thread: Jeff Cochran: "Re: Web Application Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
