Arjang, As an (ex) MVP in development security, security engineer by day and a wanna-be-hacker by night I strongly recommend that you pass your task to a person specialized in that field. (no, I'm not that and I don't take jobs so this is not a job ad).
Security just like performance or ui design are very specialized skills that require hours and days and months of training and practice to get right. Way to often (back in the days when I was doing both high-performance and security for sites) I've seen sites that "passed security reviews" that I could hack through or attack in 10 minutes of sitting down which included getting myself a coffee and starting my laptop. There is a multitude of things that can go wrong in security for a website starting with very very simple things SQL Injections, XSS, CSRF, Blind SQL. Understanding these attacks, applying them, experiencing them, practicing them, fixing them and then learning how to identify them takes time. Don't get there (especially not in a commercial or consulting position) if you don't have the skills. Practice, learn, apply, test, rinse, wash, repeat and then maybe get in that field. My GP is a very smart guy and he always got me the right drugs for my flu but heck, I would not allow him to operate on my brain, appendices or any other part of my body. He just does not have the right skill set. Here is an example of a recent attack with Blind SQL Injection which I think is one of the hardest to produce and longest to apply attacks http://seclists.org/fulldisclosure/2011/Mar/309 BlindSQL attack is like a doctor removing your appendices while blindfolded by operating a robot arm from 1000 miles away with his only clues your "ouch" moaning as he pokes the knife at you. My 2 cents, Corneliu. On Mon, Apr 4, 2011 at 4:58 PM, Arjang Assadi <[email protected]>wrote: > I have been asked to provide security assessment for Asp.net site > using WebForms Authentication with Default Asp.net Membership Provider > not using https? > > The website in question just provides some confidential information > and nothing financial, but yet still I would like to have at least a > security level matching what I would like for webbased email client ( > gmail. hotmail etc. ). > > I have assumed the first requirement is getting https certificate. > What else should I consider? Any links for security related issues for > Asp.net deployment? > > Regards > > Arjang >
