Deploying a site out in the WWW

Hi all

I was wondering if there were any guidlines to follow before a publishing
a site out in the www.

I'm most concerned about security, I can ensure the data is secure over HTTPS
and i can ensure no-one views information that they shouldn't be.

But what about things like using querystrings etc? Is it a good idea to rely
to much on querystring usage, will people try and hack the site? Will they
try and access things they shouldn't be? That sort of thing.

Is there anything I should be careful about when releasing a site?

Thanks
Kev

re: Deploying a site out in the WWW

Depends a bit upon what data is on the site.

If it's a banking site then there will be differing security requirements
than for a site which shows on line chocolate cookie recipes.

Ask yourself: "what's the worst that can happen?"

Someone deletes your data? So make a timed backup now and then.

Someone posts profanity? So swear back at them and make sure you get your
insult in first.

As for query string manipulation, I often use it for checking share prices
or querying the product databse for for sites that would otherwise have me
clicking back and forth. Nothing malicious about that, i think.



"Kevin Lawrence" <spamthis@spam.com> wrote in message
news:3a030fc3ea838c7f627b7a7dccf@news.rmplc.co.uk. ..[color=blue]
> Hi all
>
> I was wondering if there were any guidlines to follow before a publishing
> a site out in the www.
>
> I'm most concerned about security, I can ensure the data is secure over
> HTTPS and i can ensure no-one views information that they shouldn't be.
>
> But what about things like using querystrings etc? Is it a good idea to
> rely to much on querystring usage, will people try and hack the site? Will
> they try and access things they shouldn't be? That sort of thing.
>
> Is there anything I should be careful about when releasing a site?
>
> Thanks
> Kev
>
>[/color]

re: Deploying a site out in the WWW

> Depends a bit upon what data is on the site.[color=blue]
>
> If it's a banking site then there will be differing security
> requirements than for a site which shows on line chocolate cookie
> recipes.
>
> Ask yourself: "what's the worst that can happen?"[/color]

This is really what I need to know - it's a site that provides a service,
people have to pay for a full subscription but it doesn't contain seriously
confidential data, I suppose my fear is that someone gets hold of someones
address or something for a particular reason - you know what some psychos
are like out there - but is that my concern?

What has been the worst that HAS happened?

Kev

re: Deploying a site out in the WWW

Aha, some more details.

I guess if you're storing personal information then you have a duty of care
to the individuals to which it relates. Depending on where you live you
might also have a legal obligation. Obviously unencrypted query strings
would not be appropriate - you don't want someone to guess that CustID=1234
might mean that there are customers 1233 and 1235 too.

Lock down particular folders to prevent listing by a browser.

Implement a secure data access layer.

If you find a site with a comphrehensive list, post it here as it certainly
be a useful link.


"Kevin Lawrence" <spamthis@spam.com> wrote in message
news:3a030fc3eaa98c7f62bc6cbfca5@news.rmplc.co.uk. ..[color=blue][color=green]
>> Depends a bit upon what data is on the site.
>>
>> If it's a banking site then there will be differing security
>> requirements than for a site which shows on line chocolate cookie
>> recipes.
>>
>> Ask yourself: "what's the worst that can happen?"[/color]
>
> This is really what I need to know - it's a site that provides a service,
> people have to pay for a full subscription but it doesn't contain
> seriously confidential data, I suppose my fear is that someone gets hold
> of someones address or something for a particular reason - you know what
> some psychos are like out there - but is that my concern?
>
> What has been the worst that HAS happened?
>
> Kev
>
>[/color]

re: Deploying a site out in the WWW

> Aha, some more details.[color=blue]
>
> I guess if you're storing personal information then you have a duty of
> care to the individuals to which it relates. Depending on where you
> live you might also have a legal obligation. Obviously unencrypted
> query strings would not be appropriate - you don't want someone to
> guess that CustID=1234 might mean that there are customers 1233 and
> 1235 too.
>
> Lock down particular folders to prevent listing by a browser.[/color]

Ok, thanks.
[color=blue]
> Implement a secure data access layer.[/color]

I've ensured the data is accessible only by the owner of the data, we are
using GUIDs as well for the ids so no-one is going to be able to guess a
guid (unless they're really lucky!) - either way they will be turned down
flat if they don't own the data, I can't think any more to do, I always assumed
the only way someone could hack into your site was via query-strings.
[color=blue]
>
> If you find a site with a comphrehensive list, post it here as it
> certainly be a useful link.[/color]

Will do, thanks for your help.

Kev

re: Deploying a site out in the WWW

Encrypt Password Field in SQL Server, Registry Information & Query String
http://www.codeproject.com/aspnet/encrypt.asp


"Kevin Lawrence" wrote:
[color=blue]
> Hi all
>
> I was wondering if there were any guidlines to follow before a publishing
> a site out in the www.
>
> I'm most concerned about security, I can ensure the data is secure over HTTPS
> and i can ensure no-one views information that they shouldn't be.
>
> But what about things like using querystrings etc? Is it a good idea to rely
> to much on querystring usage, will people try and hack the site? Will they
> try and access things they shouldn't be? That sort of thing.
>
> Is there anything I should be careful about when releasing a site?
>
> Thanks
> Kev
>
>
>[/color]

re: Deploying a site out in the WWW

Use cryptography functions to encrypt and decrypt data in the
querystring. This is what I use:

http://www.willasrari.com/blog/index...ase-passwords/

I originally used that tutorial to encrypt the password to store in a
database. You can just as easily edit it to encrypt/decrypt the
querystring, username, id, etc...

It's in C# but converting to VB.NET shouldn't be too difficult.

re: Deploying a site out in the WWW

> Use cryptography functions to encrypt and decrypt data in the[color=blue]
> querystring. This is what I use:
>
> http://www.willasrari.com/blog/index...rp-cryptostrea
> m-encrypt-decrypt-database-passwords/
>
> I originally used that tutorial to encrypt the password to store in a
> database. You can just as easily edit it to encrypt/decrypt the
> querystring, username, id, etc...
>
> It's in C# but converting to VB.NET shouldn't be too difficult.
>[/color]

Thanks, I'm using c# so that's fine.

Kev