At work we’ve started a pretty aggressive re-write of our web applications. We’re moving them all to a set of common style-sheets, graphics and master pages as well as putting both our web server and SVN repository into a logical structure. What started as just a few ASP.NET applications, has grown to a jumbled mix of .NET apps, web services and ASP classic applications. Since we’ll be touching a lot of code in this project, we’re going to be taking a long hard look at security. Among other tasks we’re taking steps to prevent SQL injection and we’re making sure we close any cross-site scripting vulnerabilities.
We work on strictly enterprise applications and as a result we’re tucked in behind a nice corporate firewall. This is no comfort though because we have sites all over the world, and there are countless opportunities for attackers to get behind enemy lines. Because I’m beginning to take a more in-depth approach to security and how I write code, I thought I would share some of my lessons here in yet another series of blog posts (like the Second Look at Linux and FLOSS series weren’t enough). My next installment will concentrate on using the Anti-Xss library as well as a few code samples. The library is free to use and provides an easy method for encoding output from untrusted sources (i.e. the user).
Leave a Reply