Andrew Connell

MSDN: Guidance on Patterns & Practices: Security

Very good article on MSDN about security practices and ASP.NET development… from the intro:

What do books, spy equipment, stocks, bicycles, and pet supplies have in common? All have been used by Microsoft as the basis for business-to-consumer Web-based samples applications. While two of these sample applications—Duwamish Books and Fitch & Mather Stocks (F&M)—originated in the classic COM era and, after a number of updates, now ship with the Enterprise versions of Microsoft Visual Studio .NET, an astoundingly large number of real commercial applications have been built on the IBuySpy e-commerce and related portal samples. And while PetShop 3.0 claims to demonstrate “an enterprise architecture for building .NET Web Applications” that “follows Microsoft Prescriptive Architecture Guidelines,” it is doubtful that many production applications have been built using it: Its entire reason for existence is to be a .NET version of the Sun Microsystems Pet Store application.

While almost all e-commerce applications share a number of common design characteristics—for example, catalog browsing, validated logon, and shopping carts—what tends to be a differentiating factor (other than the products sold) is their treatment of customer-specific data. And customer data goes hand-in-hand with security. Many developers assume that these sample applications—designed to serve as templates for developers writing real-world applications—would showcase the “best practices” for such important non-functional aspects as performance, scalability, and security. Unfortunately, in order to be easily installed and examined on developers’ workstations, these samples incorporate a number of omissions and simplifications, and this is particularly true in the area of security. While additional security measures are described in the documentation that accompanies these samples, this critical information is easy to overlook.

» Guidance on Patterns & Practices: Security

Andrew Connell
Developer & Chief Course Artisan, Voitanos LLC. | Microsoft MVP
Written by Andrew Connell

Andrew Connell is a web developer with a focus on Microsoft Azure & Microsoft 365. He’s received Microsoft’s MVP award every year since 2005 and has helped thousands of developers through the various courses he’s authored & taught. Andrew’s the founder of Voitanos and is dedicated to delivering industry-leading on-demand video training to professional developers. He lives with his wife & two kids in Florida.