Securing your application. Part 1 - Securing your connection

I guess this is one of my pet hates/loves - too often i come across applications that makes it's database connection strings freely available to anybody who knows where to look.

As a junior developer, the main focus is generally just to secure the connection string and leave it at that - the IT guys knows what they're doing. But, untold amount of data is being transfered across domains, networks or even in the public, without any thought for how that data is secured.

I'm sure many that's worked in the finance industry (banking anyone) is aware of how important it is to secure that data...we're dealing with money here, so it's an obvious fact that it needs to be safe.

So, how do we do it? or do we care? i mean, the famous last words of any application exposed to the public is "it wouldn't happen to me, right?".

Where do we start? 

Encrypting web.config connectionstrings

The obvious first choice would be to take whatever details you're storing in your config files and make it unavailable - check (web.config isn't readable from the web....or is it?).

naturally we don't want to encrypt everything - so lets just do those that are important for now.

Connectionstrings, encrypt:

aspnet_regiis -pe "connectionStrings" -app "/AppName" -prov "RsaProtectedConfigurationProvider"

ConnectionString, decrypt:

aspnet_regiis -pd "connectionStrings" -app "/AppName"

Now we've encrypted the connectionstring - data is safe..nah, of course not - this only encrypts that section of the web.config with a machine-level key. data is still being transfered between servers in plain text.

Next is a simple way to ensure that your data is being encrypted - get hold of a SSL and use the SQLClient connectionstring object's feature called Encrypt. this ensures that all data sent between the client and server are encrypted.

What other methods do you use/know that can make your application connections more secure?

There's many ways to skin a cat - but you have to start somewhere..

-----------------------------------------------------------------------------------------

Securing your application. Part 1 - Securing your connection
Securing your application. Part 2 - Securing your data
Securing your application. Part 3 - Securing your code (coming)

Published Tue, May 4 2010 7:34 by Brian Madsen
Filed under: ,

Comments

# Securing your application. Part 2 - Securing your data

Monday, May 03, 2010 7:09 PM by Brian H. Madsen - .Net Powered by Caffeine

We've just had a look at how to secure your connection in Part 1 so obviously everything is now all