What Is Your Secureiq?

True

False

Don’t do anything, turn stuff on, add features unless you absolutely need them. Anything you do adds additional risk; the most secure system is one that doesn’t do anything at all.

Grant users only the minimum required access they need in order to perform the business function.

Two security gates are better than one.

In the failure scenario don’t open the system to attack.

Setting max length on ASP.NET and HTML input controls

Using ASP.NET validation controls (RequiredFieldValidation, CompareValidator, RangeValidator, RegularExpressionValidator, CustomValidator) to constrain user input via ASP.NET input controls as much as possible.

Constraining user input to a white list (list of acceptable characters).

Constraining user input to a black list (list of all un acceptable characters).

Response.Write(InputText.Text);

Response.Write(HttpUtility.HtmlEncode(InputText.Text));

Response.Write(MyCustomFunctionRemoveBadChars(InputText.Text));

When another user's credentials are stolen and used to connect to a sql database.

When a hacker gets access to the database and modifies data in the database.

When user input is used to alter a SQL statement to perform an unintended action.

When a hacker gets access to the database and modifies stored procedures in the database.

Unauthorized access of data to select, update, delete

Deletion or modification of database objects

Deletion of all files on the database server.

Data corruption

Use paramaterized queries.

Constrain user input to known valid data.

Connect to the database with a low privileged account.

Connect to the database with a high privileged account.

Implement client side javascript validation on a method, server side validation on the server method.

Implement client side javascript validation on a method only.

Defense in depth.

Fail securely.

Keep it simple to Minimize the Attack Surface Area.

Reluctance to trust.