Solved

Can a .NET website be as secure as a Linux website

Posted on 2006-06-27
14
385 Views
Last Modified: 2010-04-16
Hi,

I am a C# developer and wonder, can a .NET website be as secure as a Linux website?  I was wondering if it worth brushing up on my Java, and getting FoxServer, MySQL going again, etc.

What are your thoughts?

Can anything be done for denial of service attacks?
I'm not very worried about the effort of re-learning Linux.  I simply want the toughest site possible.  Also, a Linux site is more transportable, right?

Thanks,
Bob
0
Comment
Question by:ba272
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 13

Accepted Solution

by:
BlackTigerX earned 300 total points
Comment Utility
the technology used to develop a website, has little to do with the security of the site, you can make an secure or insecure site using any language and hosting it on any web server

IIS itself has been very stable and has had way less security problems than Apache

some languages tend to make the programmers make more errors, lately PHP has been identified as one of those languages

in .NET they have put a big effort to make applications secure, I don't think you should base your criteria on the language, you should use whatever you feel more comfortable using, on the other hand you can be way more productive using Visual Studio and C# than PHP or most other tools

about making the site more transportable?... I think .NET is much more robust and stable in it's versioning, you don't have so many versions of so many different componets (Linux, Apache, PHP, Java, MySQL)
0
 

Author Comment

by:ba272
Comment Utility
great!  That's the answer I was hoping for.  I'm very comfortable with .NET and could do it much more easily in C#.

What kinds of security considerations are there?  What about a denial of service attack?  What other things can be done to make a site as secure as humanly possible?

0
 
LVL 13

Expert Comment

by:BlackTigerX
Comment Utility
there is pretty "nothing" you can do against DOS attacks, that simple, any OS, any server, any site can be taken down with DOS, specially DDOS (distributed DOS), as long as the site itself doesn't have a problem that allows for DOS attacks

there are too many things to worry about when talking about security, it depends on the nature of the site, but some of the most important are:

Sniffers between the site and the users accesing it - use SSL
CSS (cross site scripting) - disallow the use of all scripting by default, and allow only what is required
SQL Injection - use stored procedures or parameterized queries to prevent these
- always check any data coming from the user
- identify critical areas of the application and test more throughly those areas

http://ebersys.blogspot.com/
0
 
LVL 9

Assisted Solution

by:jonorossi
jonorossi earned 100 total points
Comment Utility
BlackTigerX, I assume you meant XSS which is the acroymn for Cross Site Scripting. ASP.NET prevents any of these attacks as long as you don't turn off the checking.

DoS attacks are prevented by proper firewalls which filter the traffic by user, type of request, etc. The really good ones will be able to detect distributed attacks because by nature they will be similar. However there is the change they are not similar and the zombies (machines used for the attack) may only be request pages every few seconds so it may seem like a normal user. If you are not hosting the site yourself this is out of your control unless you have colocation hosting.

As BlackTigerX said, SQL injection is a big one that many sites are widely open to.

This article details how to test your site for the most common attacks:
ASP.NET Security: 8 Ways to Avoid Attack (http://www.devx.com/security/Article/20898)

Hope that helps, Jono
0
 

Author Comment

by:ba272
Comment Utility
Thanks,

Could you give me an example of a parameterized query?  

I have not as yet written a stored procedure (probably should learn).  Does Access support stored procedure?

Thanks,
Bob
0
 
LVL 9

Expert Comment

by:jonorossi
Comment Utility
You would do something like this in your code so that if the UserId contains malicous SQL instead of a user ID then it wouldn't work:

[code]
string sql = "SELECT * FROM Users WHERE UserId = ?";
...
myCommandObject.Parameters.Add(new SqlParameter("@UserId", txtUserId.Text);
[/code]

Most people say that Access does not support Stored Procedures but it does have support for them. They are called queries but are not used very often. You do not need to learn to write stored procedures; parameterized queries give you one way to enhance security without the effort that SPs have.
0
 
LVL 13

Expert Comment

by:BlackTigerX
Comment Utility
bottom line, there is no such thing as "security", but you can make it a heck more difficult, such that most (wannabe) hackers will be discouraged, definitely you want to use a Firewall, that will help a lot

jonorossi- yes, the most commonly used abbreviation is XSS, but it is referred to (old school I guess) as CSS sometimes
http://www.google.com/search?hl=en&lr=&q=define%3AXSS&btnG=Search
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 9

Expert Comment

by:jonorossi
Comment Utility
>>"bottom line, there is no such thing as "security""
You mean there is no such thing as a completely 'secure' application. You are absolutlely right, there is no possible way for an app to be secure unless it does nothing, but even then it could allow access into the OS.

@BlackTigerX: I was unaware it was ever called CSS, i can see why they changed it because it would be so confusing.
0
 
LVL 37

Assisted Solution

by:gregoryyoung
gregoryyoung earned 100 total points
Comment Utility
Just to add a bit to this ..

Considerring the mono project runs .NET websites in linux you can in fact run your .NET apps on a unix box.

http://www.mono-project.com/

Cheers,

Greg
0
 

Author Comment

by:ba272
Comment Utility
Greg,

Does this make the site any more secure?  I am not invested in Linux at the moment, and would only consider it if there was a definitive improvement to site security.

Thanks,
Bob
0
 
LVL 37

Expert Comment

by:gregoryyoung
Comment Utility
One could argue that the default install of OpenBSD is more secure than the default install of win 2k3 but the system administrator is much mroe important :)

One could also argue that the ability to run from read only media could make the BSD system more secure.

The real place to be looking at security though (as already discussed) is the application and the system configuration.

Cheers,

Greg
0
 
LVL 9

Expert Comment

by:jonorossi
Comment Utility
If you are hosting it yourself should use the platform you are most familiar with or you will have a hard time securing it. For example, if you know Windows Server 2003 inside out you would be silly to go and set up Linux if you didn't know much about it.

The same with the application platform, if you don't know anything about PHP or Java and you know heaps about ASP.NET then you will find it easier to secure ASP.NET because you are more productive in that platform.

What I have said may not always be true, some web application platforms are hard to secure (eg. classic ASP) and it might be worth your while to upgrade to ASP.NET just for security. However that said, it doesn't mean it will be more secure because if you don't use the ASP.NET Web Server Controls then ASP.NET wont be checking the values in the fields to prevent XSS; there would be other things too.

'Gilb’s Laws Of Unreliability', the 4 one is:
"Investment in reliability will increase until it exceeds the probable cost of errors, or until someone insists on getting some useful work done."

This is very similar to security, you can spend heaps on making your app very secure but you app is useless if it doesn't ship or doesn't do what the customer wants.

I hope we have all enlightened you to how many security considerations there is when developing software. As always you will have some unknown security holes when you deploy your app because that is just how software is developed.

Jono
0
 
LVL 13

Expert Comment

by:BlackTigerX
Comment Utility
"Does this make the site any more secure?"
I don't think so
again, most of the exploits come from the page code itself, the practices you use etc
0
 
LVL 13

Expert Comment

by:BlackTigerX
Comment Utility
and this is very true
"If you are hosting it yourself should use the platform you are most familiar with or you will have a hard time securing it."

don't go thinking that just because you use Linux you are going to be more secure, it can very well be quite the opposite; on most of the security holes, the problem is not on the tools, but in how the tools are used or configured
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Introduction Although it is an old technology, serial ports are still being used by many hardware manufacturers. If you develop applications in C#, Microsoft .NET framework has SerialPort class to communicate with the serial ports.  I needed to…
This article describes a simple method to resize a control at runtime.  It includes ready-to-use source code and a complete sample demonstration application.  We'll also talk about C# Extension Methods. Introduction In one of my applications…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now