Is ASP.NET MVC appropriate for highly-secure public-facing sites?

I'm looking at using ASP.NET MVC for a current project but I have some concerns regarding security.

The site is public-facing through HTTPS and is required to be very secure. Are there any legitimate re开发者_JAVA百科asons why I should avoid ASP.NET MVC? Is there anything I need to be aware of if I go down this path?

Firstly, Microsoft would have developed the ASP.net MVC framework using their SDL processes which includes security from the beginning. Secondly, it is already used in some popular sites:

Live.com / Hotmail

• "Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC".

The above is a document that describes Microsoft's experiences using ASP.net MVC on their live.com sites. It also details some security best-practice guidelines.

Stackoverflow

The stackoverflow family of sites also run ASP.net MVC and receive lots of traffic. In the podcasts there have been quite a few mentions to SO users that have tried to subvert the site in various ways. It lead to the introduction of the hacker badge.

ASP.net vs ASP.net MVC

• Take Charge of Your Security - Phil Haack compares ASP.net to ASP.net MVC

Summary

So it should be perfectly safe to use if you follow best practice.

ASP.NET MVC is perfectly acceptable to use on a public facing website. You just need to follow standard security principals, but nothing in the platform will prevent this.

Are there any legitimate reasons why I should avoid ASP.NET MVC?

No. If you follow basic security practices.

Is there anything I need to be aware of if I go down this path?

One of the important things you should be aware of is the automatic data-binding.
This can be very dangerous if you do not watch it.

More information I wrote in by blog here.

I've had to wrestle with this recently. What I came to, was that besides the "icky" factor of having database ID's on plain view, I believe that there is no reason that an ASP.NET/MVC app can't be secure.

I have read that certain security features that are "baked in" to asp.net Web Forms that you will have to add yourself by hand when doing MVC apps. I recently asked a similar questions, and the answers there may be useful.

Asp.NET MVC Customer Application

As with any new technology, you'll need to spend some time learning MVC to understand how to use it securely. Since it is more bare-metal than ASP.NET web forms, you do have more opportunity to shoot yourself in the foot if you are not careful.

For example:

• With WebForms you typically do not worry about Cross Site Request Forgery attacks because the mitigation is handled for you (via hidden viewstate data). With ASP.NET MVC you need handle this yourself by embedding a secure token in your form and validating it in your controller... the framework provides helpers (Html.AntiForgeryToken function) but you still need to know when to use it.

• The automatic Model binding features of MVC are very useful, however you need to understand how binding works to protect against potential malicious data coming into your controller. Again, MVC offers mitigation options (explicit binding), but you still need to know when and how to use it.

These are just tools and techniques specific to MVC, every framework will have their own set of them.

As far as security is concerned, I think the framework you use is much less important than having a thorough understanding of general security issues as well as your own application's threat model.