Can a .NET website be as secure as a Linux website

Hi,

I am a C# developer and wonder, can a .NET website be as secure as a Linux website?  I was wondering if it worth brushing up on my Java, and getting FoxServer, MySQL going again, etc.

What are your thoughts?

Can anything be done for denial of service attacks?
I'm not very worried about the effort of re-learning Linux.  I simply want the toughest site possible.  Also, a Linux site is more transportable, right?

Thanks,
Bob
ba272Asked:
Who is Participating?
 
BlackTigerXConnect With a Mentor Commented:
the technology used to develop a website, has little to do with the security of the site, you can make an secure or insecure site using any language and hosting it on any web server

IIS itself has been very stable and has had way less security problems than Apache

some languages tend to make the programmers make more errors, lately PHP has been identified as one of those languages

in .NET they have put a big effort to make applications secure, I don't think you should base your criteria on the language, you should use whatever you feel more comfortable using, on the other hand you can be way more productive using Visual Studio and C# than PHP or most other tools

about making the site more transportable?... I think .NET is much more robust and stable in it's versioning, you don't have so many versions of so many different componets (Linux, Apache, PHP, Java, MySQL)
0
 
ba272Author Commented:
great!  That's the answer I was hoping for.  I'm very comfortable with .NET and could do it much more easily in C#.

What kinds of security considerations are there?  What about a denial of service attack?  What other things can be done to make a site as secure as humanly possible?

0
 
BlackTigerXCommented:
there is pretty "nothing" you can do against DOS attacks, that simple, any OS, any server, any site can be taken down with DOS, specially DDOS (distributed DOS), as long as the site itself doesn't have a problem that allows for DOS attacks

there are too many things to worry about when talking about security, it depends on the nature of the site, but some of the most important are:

Sniffers between the site and the users accesing it - use SSL
CSS (cross site scripting) - disallow the use of all scripting by default, and allow only what is required
SQL Injection - use stored procedures or parameterized queries to prevent these
- always check any data coming from the user
- identify critical areas of the application and test more throughly those areas

http://ebersys.blogspot.com/
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
jonorossiConnect With a Mentor Commented:
BlackTigerX, I assume you meant XSS which is the acroymn for Cross Site Scripting. ASP.NET prevents any of these attacks as long as you don't turn off the checking.

DoS attacks are prevented by proper firewalls which filter the traffic by user, type of request, etc. The really good ones will be able to detect distributed attacks because by nature they will be similar. However there is the change they are not similar and the zombies (machines used for the attack) may only be request pages every few seconds so it may seem like a normal user. If you are not hosting the site yourself this is out of your control unless you have colocation hosting.

As BlackTigerX said, SQL injection is a big one that many sites are widely open to.

This article details how to test your site for the most common attacks:
ASP.NET Security: 8 Ways to Avoid Attack (http://www.devx.com/security/Article/20898)

Hope that helps, Jono
0
 
ba272Author Commented:
Thanks,

Could you give me an example of a parameterized query?  

I have not as yet written a stored procedure (probably should learn).  Does Access support stored procedure?

Thanks,
Bob
0
 
jonorossiCommented:
You would do something like this in your code so that if the UserId contains malicous SQL instead of a user ID then it wouldn't work:

[code]
string sql = "SELECT * FROM Users WHERE UserId = ?";
...
myCommandObject.Parameters.Add(new SqlParameter("@UserId", txtUserId.Text);
[/code]

Most people say that Access does not support Stored Procedures but it does have support for them. They are called queries but are not used very often. You do not need to learn to write stored procedures; parameterized queries give you one way to enhance security without the effort that SPs have.
0
 
BlackTigerXCommented:
bottom line, there is no such thing as "security", but you can make it a heck more difficult, such that most (wannabe) hackers will be discouraged, definitely you want to use a Firewall, that will help a lot

jonorossi- yes, the most commonly used abbreviation is XSS, but it is referred to (old school I guess) as CSS sometimes
http://www.google.com/search?hl=en&lr=&q=define%3AXSS&btnG=Search
0
 
jonorossiCommented:
>>"bottom line, there is no such thing as "security""
You mean there is no such thing as a completely 'secure' application. You are absolutlely right, there is no possible way for an app to be secure unless it does nothing, but even then it could allow access into the OS.

@BlackTigerX: I was unaware it was ever called CSS, i can see why they changed it because it would be so confusing.
0
 
gregoryyoungConnect With a Mentor Commented:
Just to add a bit to this ..

Considerring the mono project runs .NET websites in linux you can in fact run your .NET apps on a unix box.

http://www.mono-project.com/

Cheers,

Greg
0
 
ba272Author Commented:
Greg,

Does this make the site any more secure?  I am not invested in Linux at the moment, and would only consider it if there was a definitive improvement to site security.

Thanks,
Bob
0
 
gregoryyoungCommented:
One could argue that the default install of OpenBSD is more secure than the default install of win 2k3 but the system administrator is much mroe important :)

One could also argue that the ability to run from read only media could make the BSD system more secure.

The real place to be looking at security though (as already discussed) is the application and the system configuration.

Cheers,

Greg
0
 
jonorossiCommented:
If you are hosting it yourself should use the platform you are most familiar with or you will have a hard time securing it. For example, if you know Windows Server 2003 inside out you would be silly to go and set up Linux if you didn't know much about it.

The same with the application platform, if you don't know anything about PHP or Java and you know heaps about ASP.NET then you will find it easier to secure ASP.NET because you are more productive in that platform.

What I have said may not always be true, some web application platforms are hard to secure (eg. classic ASP) and it might be worth your while to upgrade to ASP.NET just for security. However that said, it doesn't mean it will be more secure because if you don't use the ASP.NET Web Server Controls then ASP.NET wont be checking the values in the fields to prevent XSS; there would be other things too.

'Gilb’s Laws Of Unreliability', the 4 one is:
"Investment in reliability will increase until it exceeds the probable cost of errors, or until someone insists on getting some useful work done."

This is very similar to security, you can spend heaps on making your app very secure but you app is useless if it doesn't ship or doesn't do what the customer wants.

I hope we have all enlightened you to how many security considerations there is when developing software. As always you will have some unknown security holes when you deploy your app because that is just how software is developed.

Jono
0
 
BlackTigerXCommented:
"Does this make the site any more secure?"
I don't think so
again, most of the exploits come from the page code itself, the practices you use etc
0
 
BlackTigerXCommented:
and this is very true
"If you are hosting it yourself should use the platform you are most familiar with or you will have a hard time securing it."

don't go thinking that just because you use Linux you are going to be more secure, it can very well be quite the opposite; on most of the security holes, the problem is not on the tools, but in how the tools are used or configured
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.