Security Measures For Applications Which Deal With Users Private Information

I am currently working on an ASP.NET 3.5 and C# web application which deals with users private information like SSN numbers. What are some of the security measures which I need to take from an application development stand point t开发者_StackOverflow社区o feel safe?

To secure your application you will need to understand the threats it will face and then develop appropriate mitigation techniques. A good place to start would be by creating a threat model.

Have a look at some of these resources:

• How To: Create a Threat Model for a Web Application at Design Time
• Web Application Exploits and Defenses
• Web Security: Are You Part Of The Problem?
• OWASP

If you will require sensible information from user by a web form it should be protected by SSL (https url). This help you to secure the communication channel between the browser and your server.

You shouldn't store on your database private and sensible information unless it's strictly necessary and if you have to do it of course you have to store it encrypted.

Well, besides the obvious issue of using encryption, I've been told that it's a good practice to avoid having the user's state as part of a class, especially in an external code library.

Eg: Instead of this:

public class secretClass()
public sub new(ssn as string)
_ssn = ssn
end sub
public function getMedicalHistory() as DataSet
' Get private information
End Function
End Class

Use this:

public class secretClass()
public sub new()
End Sub
Public Function getMedicalHistory(p_ssn as string) as DataSet
' Get private information
End Function
End Class

By doing this, you make it more difficult for a malicious hacker to steal private information by somehow gaining control of the secretClass object.

Disable remote logon to your database, use several code analysis tools (code coverage and static analyzers), force strong password requirements for logging into the systems, encrypt all data with at least an SHA-1 encryption scheme; MD5 is found to be far too weak according to government requirements.