Hot Spot Key Decisions
Auditing and Logging * How to identify the sink for auditing.
* How to identify the operations and events to be logged.
* How to identify the content or information to be logged.
* How to secure to audit files / store.
* How to archive audit information.
* How to handle audit failures.
* How to avoid storing sensitive information in audit files.
* How to provide the necessary information for debugging cloud applications.
* How to use platform features to log debugging information without impacting application performance.
* How to ascertain and send health status information.
Authentication * How to identify trust boundaries within Web application layers for authentication.
* How to authenticate your users and pass authenticated identities across the layers.
* How to use windows authentication in a web app.
* How to use forms authentication in a web app.
* How to authenticate with Live ID.
* How to authenticate mobile users.
* How to prevent brute force attacks
* How to use a foreign identity provider logon page (i.e., How to redirect to an STS from a browser.)
Authorization * How to identify trust boundaries within the Web application layers for authorization.
* How to decide granularity of authorization settings.
* How to federate claims.
* How to use resource authorization.
* How to use URL authorization.
* How to use roles authorization.
* How to use Azure tables as a roles store.
* How to authorize access to Azure tables, queues, and blobs.
* How to prevent your application from relying on administrative privileges it will not have in the cloud.
Communication * How to choose protocol, security and communication-style for communication between web application layers.
* How to secure any sensitive data that is sent across the network.
* How to choose between message security and transport security.
* How to secure inter-role (IPC) comm.
* How to handle interruptions in access to cloud applications.
* How to interact with non cloud applications that require fixed IP address.
Data Access * How to connect to a non cloud DB via integrated security.
* How to connect to a non cloud DB via Standard SQL security,
* How to secure Azure SQL db login (authentication).
* How to secure Azure SQL db access (authorization).
* How to secure your application from SQL injection.
* How to encrypt your connection strings.
* How to use least-privileged accounts for database access.
* How to choose authentication option for data access.
* How to validate un-trusted input passed to your data access methods.
* How to connect to Azure blobs and tables.
Exception Management * How to choose exception management strategy.
* How to scrub exception message for secure exception handling.
* How to deal with sensitive information when handling the exception.
* How to deal with unhandled exceptions.
Sensitive Data * How to store sensitive data in the cloud.
* How to secure sensitive data sent to a cloud app.
Session Mgmt * How to choose a state store.
* How to identify the data to be stored in session store.
* How to handle session state in a single Web server scenario.
* How to handle session state in web farm scenario.
* How to secure your session store.
Validation * How to identify trust boundaries within Web application layers for validation.
* How to design your validation strategy to constrain, reject, and sanitize malicious input.
* How to efficiently and securely validate input data.
* How to secure Ajax validation.


Last edited Aug 13, 2009 at 10:20 AM by prashantbansode, version 2

Comments

No comments yet.