Getting some security religion

We recently had a security consultant come in to give us some guidance. Since I am the developer, not the database or network engineer, I learned a few things but the one that really got me was the use of ports with Oracle instance setups. Hackers always look for the obvious, and usually that means default settings that never get changed.

When you add a new tns name to your tns name file people usually take the default of port 1521. So right there we found one issue that could easily be corrected. This is in the same vain as companies that leave the default sa user with no password in SQL Server. You can bet your sweet bippy I'll be on the lookout for things like that from now on.

If you are looking for some really good sample code on ASP.Net security check out the Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication article series on MSDN. Lots of good stuff up there, especially the How Tos.

I mentioned in an earlier post that I thought the web services section was kinda light. I wish it was as good as this section.