Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can a .NET website be as secure as a Linux website

Posted on 2006-06-27
14
Medium Priority
?
412 Views
Last Modified: 2010-04-16
Hi,

I am a C# developer and wonder, can a .NET website be as secure as a Linux website?  I was wondering if it worth brushing up on my Java, and getting FoxServer, MySQL going again, etc.

What are your thoughts?

Can anything be done for denial of service attacks?
I'm not very worried about the effort of re-learning Linux.  I simply want the toughest site possible.  Also, a Linux site is more transportable, right?

Thanks,
Bob
0
Comment
Question by:ba272
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 13

Accepted Solution

by:
BlackTigerX earned 1200 total points
ID: 16998353
the technology used to develop a website, has little to do with the security of the site, you can make an secure or insecure site using any language and hosting it on any web server

IIS itself has been very stable and has had way less security problems than Apache

some languages tend to make the programmers make more errors, lately PHP has been identified as one of those languages

in .NET they have put a big effort to make applications secure, I don't think you should base your criteria on the language, you should use whatever you feel more comfortable using, on the other hand you can be way more productive using Visual Studio and C# than PHP or most other tools

about making the site more transportable?... I think .NET is much more robust and stable in it's versioning, you don't have so many versions of so many different componets (Linux, Apache, PHP, Java, MySQL)
0
 

Author Comment

by:ba272
ID: 16998397
great!  That's the answer I was hoping for.  I'm very comfortable with .NET and could do it much more easily in C#.

What kinds of security considerations are there?  What about a denial of service attack?  What other things can be done to make a site as secure as humanly possible?

0
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 16998481
there is pretty "nothing" you can do against DOS attacks, that simple, any OS, any server, any site can be taken down with DOS, specially DDOS (distributed DOS), as long as the site itself doesn't have a problem that allows for DOS attacks

there are too many things to worry about when talking about security, it depends on the nature of the site, but some of the most important are:

Sniffers between the site and the users accesing it - use SSL
CSS (cross site scripting) - disallow the use of all scripting by default, and allow only what is required
SQL Injection - use stored procedures or parameterized queries to prevent these
- always check any data coming from the user
- identify critical areas of the application and test more throughly those areas

http://ebersys.blogspot.com/
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 9

Assisted Solution

by:jonorossi
jonorossi earned 400 total points
ID: 16998549
BlackTigerX, I assume you meant XSS which is the acroymn for Cross Site Scripting. ASP.NET prevents any of these attacks as long as you don't turn off the checking.

DoS attacks are prevented by proper firewalls which filter the traffic by user, type of request, etc. The really good ones will be able to detect distributed attacks because by nature they will be similar. However there is the change they are not similar and the zombies (machines used for the attack) may only be request pages every few seconds so it may seem like a normal user. If you are not hosting the site yourself this is out of your control unless you have colocation hosting.

As BlackTigerX said, SQL injection is a big one that many sites are widely open to.

This article details how to test your site for the most common attacks:
ASP.NET Security: 8 Ways to Avoid Attack (http://www.devx.com/security/Article/20898)

Hope that helps, Jono
0
 

Author Comment

by:ba272
ID: 16998613
Thanks,

Could you give me an example of a parameterized query?  

I have not as yet written a stored procedure (probably should learn).  Does Access support stored procedure?

Thanks,
Bob
0
 
LVL 9

Expert Comment

by:jonorossi
ID: 16998648
You would do something like this in your code so that if the UserId contains malicous SQL instead of a user ID then it wouldn't work:

[code]
string sql = "SELECT * FROM Users WHERE UserId = ?";
...
myCommandObject.Parameters.Add(new SqlParameter("@UserId", txtUserId.Text);
[/code]

Most people say that Access does not support Stored Procedures but it does have support for them. They are called queries but are not used very often. You do not need to learn to write stored procedures; parameterized queries give you one way to enhance security without the effort that SPs have.
0
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 16998723
bottom line, there is no such thing as "security", but you can make it a heck more difficult, such that most (wannabe) hackers will be discouraged, definitely you want to use a Firewall, that will help a lot

jonorossi- yes, the most commonly used abbreviation is XSS, but it is referred to (old school I guess) as CSS sometimes
http://www.google.com/search?hl=en&lr=&q=define%3AXSS&btnG=Search
0
 
LVL 9

Expert Comment

by:jonorossi
ID: 16998797
>>"bottom line, there is no such thing as "security""
You mean there is no such thing as a completely 'secure' application. You are absolutlely right, there is no possible way for an app to be secure unless it does nothing, but even then it could allow access into the OS.

@BlackTigerX: I was unaware it was ever called CSS, i can see why they changed it because it would be so confusing.
0
 
LVL 37

Assisted Solution

by:gregoryyoung
gregoryyoung earned 400 total points
ID: 17003735
Just to add a bit to this ..

Considerring the mono project runs .NET websites in linux you can in fact run your .NET apps on a unix box.

http://www.mono-project.com/

Cheers,

Greg
0
 

Author Comment

by:ba272
ID: 17004106
Greg,

Does this make the site any more secure?  I am not invested in Linux at the moment, and would only consider it if there was a definitive improvement to site security.

Thanks,
Bob
0
 
LVL 37

Expert Comment

by:gregoryyoung
ID: 17004266
One could argue that the default install of OpenBSD is more secure than the default install of win 2k3 but the system administrator is much mroe important :)

One could also argue that the ability to run from read only media could make the BSD system more secure.

The real place to be looking at security though (as already discussed) is the application and the system configuration.

Cheers,

Greg
0
 
LVL 9

Expert Comment

by:jonorossi
ID: 17006801
If you are hosting it yourself should use the platform you are most familiar with or you will have a hard time securing it. For example, if you know Windows Server 2003 inside out you would be silly to go and set up Linux if you didn't know much about it.

The same with the application platform, if you don't know anything about PHP or Java and you know heaps about ASP.NET then you will find it easier to secure ASP.NET because you are more productive in that platform.

What I have said may not always be true, some web application platforms are hard to secure (eg. classic ASP) and it might be worth your while to upgrade to ASP.NET just for security. However that said, it doesn't mean it will be more secure because if you don't use the ASP.NET Web Server Controls then ASP.NET wont be checking the values in the fields to prevent XSS; there would be other things too.

'Gilb’s Laws Of Unreliability', the 4 one is:
"Investment in reliability will increase until it exceeds the probable cost of errors, or until someone insists on getting some useful work done."

This is very similar to security, you can spend heaps on making your app very secure but you app is useless if it doesn't ship or doesn't do what the customer wants.

I hope we have all enlightened you to how many security considerations there is when developing software. As always you will have some unknown security holes when you deploy your app because that is just how software is developed.

Jono
0
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 17011077
"Does this make the site any more secure?"
I don't think so
again, most of the exploits come from the page code itself, the practices you use etc
0
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 17011094
and this is very true
"If you are hosting it yourself should use the platform you are most familiar with or you will have a hard time securing it."

don't go thinking that just because you use Linux you are going to be more secure, it can very well be quite the opposite; on most of the security holes, the problem is not on the tools, but in how the tools are used or configured
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Extention Methods in C# 3.0 by Ivo Stoykov C# 3.0 offers extension methods. They allow extending existing classes without changing the class's source code or relying on inheritance. These are static methods invoked as instance method. This…
Summary: Persistence is the capability of an application to store the state of objects and recover it when necessary. This article compares the two common types of serialization in aspects of data access, readability, and runtime cost. A ready-to…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question