Very good article on MSDN about security practices and ASP.NET development… from the intro:
comments powered by Disqus
What do books, spy equipment, stocks, bicycles, and pet supplies have in common? All have been used by Microsoft as the basis for business-to-consumer Web-based samples applications. While two of these sample applications—Duwamish Books and Fitch & Mather Stocks (F&M)—originated in the classic COM era and, after a number of updates, now ship with the Enterprise versions of Microsoft Visual Studio .NET, an astoundingly large number of real commercial applications have been built on the IBuySpy e-commerce and related portal samples. And while PetShop 3.0 claims to demonstrate “an enterprise architecture for building .NET Web Applications” that “follows Microsoft Prescriptive Architecture Guidelines,” it is doubtful that many production applications have been built using it: Its entire reason for existence is to be a .NET version of the Sun Microsystems Pet Store application.
While almost all e-commerce applications share a number of common design characteristics—for example, catalog browsing, validated logon, and shopping carts—what tends to be a differentiating factor (other than the products sold) is their treatment of customer-specific data. And customer data goes hand-in-hand with security. Many developers assume that these sample applications—designed to serve as templates for developers writing real-world applications—would showcase the “best practices” for such important non-functional aspects as performance, scalability, and security. Unfortunately, in order to be easily installed and examined on developers’ workstations, these samples incorporate a number of omissions and simplifications, and this is particularly true in the area of security. While additional security measures are described in the documentation that accompanies these samples, this critical information is easy to overlook.