How to build a secure web application

Posted on 2006-05-20
Last Modified: 2010-04-11
I'm building a web application for a real estate company. In that app, they'll be collecting sensitive data such as personal income and bank info. I'll have the database in MS Access. The front end will be in ASP.Net. Will SSL certificates be enough to not compromise the sensitive data's authenticity and integrity? If not, what recommendations do you have for me in order to build a very secure web application... tx
Question by:alateos
    LVL 32

    Accepted Solution

    >>I'll have the database in MS Access

    That's mistake #1.  MS Access is insecure by design.  Since it has no inherent security you're totally at the mercy of the host PCs filesystem security.  I suggest a reconsideration of this decision.  I'd suggest using a SECURABLE DB like MS SQL Server (even the free MSDE or SWL 2005 Express Edition), MySQL, or similar.  Not only is MS Access easily compromised but it's easily hacked (especially from insiders) so your concerns about data INTEGRITY are well founded with this solution.

    Mistake #2 is not understanding that SSL will only protect the information as it is communicated over the web.  Once the private data arrives at your ASP.NET app, it's already in plaintext and compromisable.  If you are just collecting information, re-encrypt it immediately, store it in your database, and leave it that way until it's needed by someone.  Then use an application (web or stand-alone) to view the data.  Note that none of these DBs are inherently secure but they are SECURABLE.  By that I mean proper installation and configuration of the DB itself, the system it runs on, and any interfaces will result in a very secure system.


    Author Comment


    tx for ur comment. Though i have a couple of questions for you.

    1) Why is Access not "securable" as opposed to SQL server. At one point SQL Server was vulnerable to a SQL Injection attack.

    2) You were suggesting that I encrypt the content before it goes into the database. Therefore, all of my entries in the database would be in the form of ciphertext. Is it common practice to do that? Does it significantly affect performance? And if such is the case, then why would SQL Server be more secure than Access?
    LVL 27

    Expert Comment

    Just a remark: Access is a desktop tool, not really multiuser enabled and without certain backup measures.
    The good news is, you can easily convert your access DB to an MS SQL database keeping all the fronends in access.

    Here are some links


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now