<< New Blog Home | Home | Silence is not Golden >>

More on Viral Coding

OK.  So when does what we write become a coding template and just a simple example???

I was reading through Fritz Onion’s most excellent expose of ASP.NET (Essential ASP.NET).  In the VB.NET version of the book (and I am sure somewhere in the C# version) on page 76, when discussing configuration files, the example on page 76 has a DSN with User=SA and Password = nothing.  Now this has been something that has been preached for the longest time (well before he wrote the book at least).  Do I think that Mr. Onion is implicitly recommending that you use SA/No password?  No.  Are there some who would see this code and follow the example?—why…yes I do—I’ve seen it.  Further, I have seen a fair number of applications where the username and password is in plain text in the web.config file.

How come there aren’t any books out there that address encrypting sensitive information in configuration files?  Is it the complexity? Is it the “secret code I don’t want to share”?  I tried doing it for a client, but they didn’t understand what all the process was doing, so they had me take it out.  Go figure.  No wonder we can’t write secure applications.  But that is a rant for another day.

Print | posted on Wednesday, November 17, 2004 5:57 AM

Feedback

# re: More on Viral Coding

left by Steve Hartzog at 11/19/2004 9:27 PM Gravatar
Excellent idea! This would be an excellent topic for an article. I'm using the SymmCrypto provider, and a specialized method to decrypt during runtime and store it in memory. The password never touches the disk, and during coding I just used the propery of my Data class when making MSDAAB calls. For example:

SqlHelper.ExecuteDataSet(Data.connectionString, CommandType.String, strSQL)

In the spirit of full disclosure my first production app placed it in web.config as well... until the SA freaked on me - then I put it in a remote assembly. During deployment the production server only saw the dll (not the source).

Anyway, I don't think this is a complex subject - but one that deserves a full article. I look forward to reading that article should you undertake it. If not, let me know... and I might just write that one myself.

# re: More on Viral Coding

left by Brian Sherwin at 11/20/2004 9:05 PM Gravatar
I don't think the SA should be freaking out--he handed out the password in the first place. In the true spirit of coding, we should be using a least privilege account as well, so nobody should freak out right.
Title  
Name
Email (never displayed)
Url
Comments   
Please add 2 and 1 and type the answer here:
Copyright © Brian Sherwin