• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 175
  • Last Modified:

How to build a secure web application

I'm building a web application for a real estate company. In that app, they'll be collecting sensitive data such as personal income and bank info. I'll have the database in MS Access. The front end will be in ASP.Net. Will SSL certificates be enough to not compromise the sensitive data's authenticity and integrity? If not, what recommendations do you have for me in order to build a very secure web application... tx
0
alateos
Asked:
alateos
1 Solution
 
jhanceCommented:
>>I'll have the database in MS Access

That's mistake #1.  MS Access is insecure by design.  Since it has no inherent security you're totally at the mercy of the host PCs filesystem security.  I suggest a reconsideration of this decision.  I'd suggest using a SECURABLE DB like MS SQL Server (even the free MSDE or SWL 2005 Express Edition), MySQL, or similar.  Not only is MS Access easily compromised but it's easily hacked (especially from insiders) so your concerns about data INTEGRITY are well founded with this solution.

Mistake #2 is not understanding that SSL will only protect the information as it is communicated over the web.  Once the private data arrives at your ASP.NET app, it's already in plaintext and compromisable.  If you are just collecting information, re-encrypt it immediately, store it in your database, and leave it that way until it's needed by someone.  Then use an application (web or stand-alone) to view the data.  Note that none of these DBs are inherently secure but they are SECURABLE.  By that I mean proper installation and configuration of the DB itself, the system it runs on, and any interfaces will result in a very secure system.

0
 
alateosAuthor Commented:
jhance,

tx for ur comment. Though i have a couple of questions for you.

1) Why is Access not "securable" as opposed to SQL server. At one point SQL Server was vulnerable to a SQL Injection attack.

2) You were suggesting that I encrypt the content before it goes into the database. Therefore, all of my entries in the database would be in the form of ciphertext. Is it common practice to do that? Does it significantly affect performance? And if such is the case, then why would SQL Server be more secure than Access?
0
 
TolomirAdministratorCommented:
Just a remark: Access is a desktop tool, not really multiuser enabled and without certain backup measures.
The good news is, you can easily convert your access DB to an MS SQL database keeping all the fronends in access.

Here are some links http://www.aspfree.com/
http://www.microsoft.com/sql/default.mspx
http://www.oreilly.com/pub/topic/dotnet



0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now