RE: ASP

["Scott, Richard" <Richard.Scott () BestBuy com>]

Microsoft's Active Server Pages are very much like anything that is housed
as a service.  I've seen secure code and insecure code, I've seen secure
code being used to house insecure components and vice versa.  Generally
speaking, it depends as to what you wish to do.  Typically, using any
service there are some things you need to harden before you want to push to
production, and ASP, more so IIS, has ASP scripts that should be removed.

Cheers
r.


Richard Scott   
Information Security
? Tel: (001) -952-995-5432
? Fax: (001) -952-996-4830
? Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA
The views expressed in this email do not represent Best Buy
or any of its subsidiaries.

 -----Original Message-----
From:   Steven M. Bellovin [mailto:smb () research att com] 
Sent:   Thursday, June 28, 2001 1:49 PM
To:     hermit1
Cc:     firewall-wizards () nfr net
Subject:        Re: [fw-wiz] ASP 

In message <5.0.2.1.2.20010626121501.00aad070 () popserv ucop edu>, hermit1
writes
:
> Is there a general feeling about the safety of Active Server Pages?  I know

> a little about what needs to be done with the OS and on the programming 
> side to keep ASP from being wide open to attackers.  Is there a preferred 
> alternative?

*All* server-run scripts -- ASP, CGI, XYZZY -- are network services 
being offered to the public.  As such, they should be treated with 
extreme suspicion.  In particular, these are the reasons you don't want 
your Web servers on the inside of your firewall.

                --Steve Bellovin, http://www.research.att.com/~smb


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards