Solved

Can a .NET website be as secure as a Linux website

Posted on 2006-06-27
14
406 Views
Last Modified: 2010-04-16
Hi,

I am a C# developer and wonder, can a .NET website be as secure as a Linux website?  I was wondering if it worth brushing up on my Java, and getting FoxServer, MySQL going again, etc.

What are your thoughts?

Can anything be done for denial of service attacks?
I'm not very worried about the effort of re-learning Linux.  I simply want the toughest site possible.  Also, a Linux site is more transportable, right?

Thanks,
Bob
0
Comment
Question by:ba272
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 13

Accepted Solution

by:
BlackTigerX earned 300 total points
ID: 16998353
the technology used to develop a website, has little to do with the security of the site, you can make an secure or insecure site using any language and hosting it on any web server

IIS itself has been very stable and has had way less security problems than Apache

some languages tend to make the programmers make more errors, lately PHP has been identified as one of those languages

in .NET they have put a big effort to make applications secure, I don't think you should base your criteria on the language, you should use whatever you feel more comfortable using, on the other hand you can be way more productive using Visual Studio and C# than PHP or most other tools

about making the site more transportable?... I think .NET is much more robust and stable in it's versioning, you don't have so many versions of so many different componets (Linux, Apache, PHP, Java, MySQL)
0
 

Author Comment

by:ba272
ID: 16998397
great!  That's the answer I was hoping for.  I'm very comfortable with .NET and could do it much more easily in C#.

What kinds of security considerations are there?  What about a denial of service attack?  What other things can be done to make a site as secure as humanly possible?

0
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 16998481
there is pretty "nothing" you can do against DOS attacks, that simple, any OS, any server, any site can be taken down with DOS, specially DDOS (distributed DOS), as long as the site itself doesn't have a problem that allows for DOS attacks

there are too many things to worry about when talking about security, it depends on the nature of the site, but some of the most important are:

Sniffers between the site and the users accesing it - use SSL
CSS (cross site scripting) - disallow the use of all scripting by default, and allow only what is required
SQL Injection - use stored procedures or parameterized queries to prevent these
- always check any data coming from the user
- identify critical areas of the application and test more throughly those areas

http://ebersys.blogspot.com/
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 
LVL 9

Assisted Solution

by:jonorossi
jonorossi earned 100 total points
ID: 16998549
BlackTigerX, I assume you meant XSS which is the acroymn for Cross Site Scripting. ASP.NET prevents any of these attacks as long as you don't turn off the checking.

DoS attacks are prevented by proper firewalls which filter the traffic by user, type of request, etc. The really good ones will be able to detect distributed attacks because by nature they will be similar. However there is the change they are not similar and the zombies (machines used for the attack) may only be request pages every few seconds so it may seem like a normal user. If you are not hosting the site yourself this is out of your control unless you have colocation hosting.

As BlackTigerX said, SQL injection is a big one that many sites are widely open to.

This article details how to test your site for the most common attacks:
ASP.NET Security: 8 Ways to Avoid Attack (http://www.devx.com/security/Article/20898)

Hope that helps, Jono
0
 

Author Comment

by:ba272
ID: 16998613
Thanks,

Could you give me an example of a parameterized query?  

I have not as yet written a stored procedure (probably should learn).  Does Access support stored procedure?

Thanks,
Bob
0
 
LVL 9

Expert Comment

by:jonorossi
ID: 16998648
You would do something like this in your code so that if the UserId contains malicous SQL instead of a user ID then it wouldn't work:

[code]
string sql = "SELECT * FROM Users WHERE UserId = ?";
...
myCommandObject.Parameters.Add(new SqlParameter("@UserId", txtUserId.Text);
[/code]

Most people say that Access does not support Stored Procedures but it does have support for them. They are called queries but are not used very often. You do not need to learn to write stored procedures; parameterized queries give you one way to enhance security without the effort that SPs have.
0
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 16998723
bottom line, there is no such thing as "security", but you can make it a heck more difficult, such that most (wannabe) hackers will be discouraged, definitely you want to use a Firewall, that will help a lot

jonorossi- yes, the most commonly used abbreviation is XSS, but it is referred to (old school I guess) as CSS sometimes
http://www.google.com/search?hl=en&lr=&q=define%3AXSS&btnG=Search
0
 
LVL 9

Expert Comment

by:jonorossi
ID: 16998797
>>"bottom line, there is no such thing as "security""
You mean there is no such thing as a completely 'secure' application. You are absolutlely right, there is no possible way for an app to be secure unless it does nothing, but even then it could allow access into the OS.

@BlackTigerX: I was unaware it was ever called CSS, i can see why they changed it because it would be so confusing.
0
 
LVL 37

Assisted Solution

by:gregoryyoung
gregoryyoung earned 100 total points
ID: 17003735
Just to add a bit to this ..

Considerring the mono project runs .NET websites in linux you can in fact run your .NET apps on a unix box.

http://www.mono-project.com/

Cheers,

Greg
0
 

Author Comment

by:ba272
ID: 17004106
Greg,

Does this make the site any more secure?  I am not invested in Linux at the moment, and would only consider it if there was a definitive improvement to site security.

Thanks,
Bob
0
 
LVL 37

Expert Comment

by:gregoryyoung
ID: 17004266
One could argue that the default install of OpenBSD is more secure than the default install of win 2k3 but the system administrator is much mroe important :)

One could also argue that the ability to run from read only media could make the BSD system more secure.

The real place to be looking at security though (as already discussed) is the application and the system configuration.

Cheers,

Greg
0
 
LVL 9

Expert Comment

by:jonorossi
ID: 17006801
If you are hosting it yourself should use the platform you are most familiar with or you will have a hard time securing it. For example, if you know Windows Server 2003 inside out you would be silly to go and set up Linux if you didn't know much about it.

The same with the application platform, if you don't know anything about PHP or Java and you know heaps about ASP.NET then you will find it easier to secure ASP.NET because you are more productive in that platform.

What I have said may not always be true, some web application platforms are hard to secure (eg. classic ASP) and it might be worth your while to upgrade to ASP.NET just for security. However that said, it doesn't mean it will be more secure because if you don't use the ASP.NET Web Server Controls then ASP.NET wont be checking the values in the fields to prevent XSS; there would be other things too.

'Gilb’s Laws Of Unreliability', the 4 one is:
"Investment in reliability will increase until it exceeds the probable cost of errors, or until someone insists on getting some useful work done."

This is very similar to security, you can spend heaps on making your app very secure but you app is useless if it doesn't ship or doesn't do what the customer wants.

I hope we have all enlightened you to how many security considerations there is when developing software. As always you will have some unknown security holes when you deploy your app because that is just how software is developed.

Jono
0
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 17011077
"Does this make the site any more secure?"
I don't think so
again, most of the exploits come from the page code itself, the practices you use etc
0
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 17011094
and this is very true
"If you are hosting it yourself should use the platform you are most familiar with or you will have a hard time securing it."

don't go thinking that just because you use Linux you are going to be more secure, it can very well be quite the opposite; on most of the security holes, the problem is not on the tools, but in how the tools are used or configured
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Although it is an old technology, serial ports are still being used by many hardware manufacturers. If you develop applications in C#, Microsoft .NET framework has SerialPort class to communicate with the serial ports.  I needed to…
We all know that functional code is the leg that any good program stands on when it comes right down to it, however, if your program lacks a good user interface your product may not have the appeal needed to keep your customers happy. This issue can…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question