For Web application developers, performance and security are like two swords in their hearts. Web applications are particularly vulnerable to attacks because of the specificity of their users. The author takes Asp.net+visualstudio as an example to discuss how to effectively deal with Web application security threats.
I. Analysis of major security threats.
For Web applications, there are a number of possible security threats. such as electronic deception, tampering, and so on. The author is here to explain some of the common security threats. This will create a background for the responses described later.
The first threat is tampering. Tampering means changing or deleting a resource without administrator authorization. As in the previous days, often someone reported that the site was attacked, the homepage was changed beyond recognition. This tampering is not very difficult, it is important to get the relevant permissions, and then through the script can be completed. The common approach to this threat is to use the Windows operating system security mechanism to lock files, directories, and other resources. In addition, it is best to have the right management, such as a Web application should run with minimal privileges and so on.
The second threat is electronic deception. Simply put, electronic spoofing is the way in which users and processes are simulated without authorization. such as electronic spoofing can illegally type the credentials of other users, change the contents of the cookie has been pretended to be legitimate users, and so on. For this kind of electronic deception, the strict authentication mechanism can often be used to deal with. In other words, whenever a user requests access to non-public information, if an enterprise's internal OA system or mail system (which hangs on the corporate web site), it is necessary to use a rigorous authentication mechanism to ensure the legality of the user's identity, especially to determine whether their identity is consistent with their claimed identity. As the following illustration shows, sometimes the user claims to be inconsistent with the real identity (the claimed identity is counterfeit). At this point, we need the help of authentication mechanism, according to certain rules to judge the "user claiming identity" and "User true identity" of the degree of compliance. If this is the case, it can be requested and rejected if it does not meet the requirements.
Third, denial of service. A denial of service attack is a means of intentionally reducing the availability of the application. If there is a way to make the Web application load transition, it will not be able to provide services to ordinary users. To give an example of an image, it's like renting a thousands of-car QQ car to and fro on a narrow road. At this time because the road has been occupied, the other cars can not be opened. Denial of service is often a demeaning act. To prevent denial of service attacks, it is often possible for ordinary businesses to limit the number of service requests or deny access to known malicious users and IP addresses, and so on.
In addition to these threats, there may be security threats such as elevated privileges, information disclosure, denials, and so on. It is difficult to design a secure Web application. Although the author in this regard is not an expert, but there are some of their own experience. Here I take out for everyone's reference.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
