ASP a secure application tool?

[aimskee]

How secure is ASP? I have to follow many strict confidentiality rules in a database application, and I'm trying to decide between a standalone program using FoxPro, or an ASP web-based app using Access or SQL Server. I like the idea of it being web-based because information can be shared between people in different places quite easily. But if there are too many security holes I don't want to go that route.
Can anyone provide me with some feedback?

 

[pansophic]

I don't think that one approach is necessarily more secure than the other. Any time that you network a database you are opening up yourself for some potentially grave mishaps. A lot of people prefer the ASP method because it allows you to protect the database server itself. You can put the database server in a protected area of the DMZ, and never allow connections from outside the firewall to the database itself.

If you implement proper controls on the ASP page, you can limit how users can interact with the database. But you can't always predict how people will manipulate the data that they send you, or what result that might have on the database.

You might want to do a little research on securing Web apps before you proceed. Here are a couple good references on the subject:

http://www.securityfocus.com/infocus/1688

http://www.securityfocus.com/infocus/1704

pansophic

 

[aimskee]

thanks! I will do some research. I'm glad you think ASP is a possibly good way to go though, since I like working with it.

 

[chiph]

ASP isn't the weak point in any implementation of the technology - it's always the IIS web server that the admin failed to close holes/patch the software/etc.

Chip H.


If you want to get the best response to a question, please check out FAQ222-2244 first

 

[aimskee]

good point. Another thing I am thinking of is using open source software. Is it considered open source if you give the target your source code, or only if the software is free? For instance, Apache and SUN have free downloads to build in Java and JSP. My boss would prefer me to build in open source as I work in a non-profit and they have the view that the software and source code should be available to all. Given that, what software is out there that is relatively easy to use? I know ASP much better than the Java technologies, but that may be the way I'll have to go.

 

[pansophic]

Open Source is always a nice way to go. There are numerous open source licenses that you can use to make sure that you get credit for the work, like GPL (GNU Public License) or MPL (Mozilla Public License).

Open Source means just that, you offer the source code for your project for free. People can use it, extend it and even modify it without cost. I would suggest that if you want it to be Open Source that you consider publishing it on SourceForge.

But the language that you develop in is irrelevant as far as Open Source is concerned. It just means that YOUR source is open, not that the compiler is open also. ASP is a perfectly acceptable language (if you really want to call it that) to produce open source software.


pansophic

 

[aimskee]

Thanks this really clarifies it. Now I can look into any number of possibilities as long as I make a decision before long. You've opened my mind!

 

[chiph]

To be OpenSource, you need to distribute your source code & documentation along with your application. If you just intend to supply the binaries (executables, etc), then it's called "freeware".

See more at:

http://www.fsf.org/licenses/licenses.html

Chip H.


If you want to get the best response to a question, please check out FAQ222-2244 first

 

[aimskee]

thanks! I will go to the link you gave me to further explore...
Aimskee