This project is read-only.

Web Application Tasks

- J.D. Meier, Prashant Bansode, Paul Enfield.

Task lists are a compilation of expected activities of customers with this technology. We attempt to determine the areas that will likely need the most guidance and prioritize them here.

Hot Spots

  • Auditing and Logging
  • Authentication
  • Authorization
  • Code Access Security
  • Communication
  • Data Access
  • Exception Management
  • Session Mgmt
  • Validation

Auditing and Logging

  • How to choose a store for auditing and logging data.
  • How to identify operations and events to be logged.
  • How to identify information to be logged.
  • How to protect data stored in Azure storage.
  • How to retrieve and archive log data.
  • How to handle log failures.
  • How to avoid storing sensitive information in log files.
  • How to partition logged data between instances of roles.


  • How to identify trust boundaries within Web application layers for authentication.
  • How to use windows authentication in a web app.
  • How to use forms authentication in a web app.
  • How to manage user accounts securely.
  • How to map a windows login id to claims token.
  • How to build a basic Identity provider.
  • How to combine multiple claims from separate providers into single token.
  • How to authenticate using Windows Live ID.
  • How to authenticate mobile users.
  • How to cap login retries to prevent brute force attacks.


  • How to identify trust boundaries within the Web application layers for authorization.
  • How to decide granularity of authorization settings.
  • How to use resource authorization.
  • How to use URL authorization.
  • How to use roles authorization.
  • How to map Live ID’s to roles or claims.
  • How to use a remote role store from a cloud STS.
  • How to expose a local role store to a remote STS.
  • How to ensure Least Privileged implementation.
  • How to use ACS for creating claims.
  • How to map claims from multiple enterprises to your application required claims.

Code Access Security

  • How to use code access security for constraining your web application.
  • How to choose trust levels for your web application.
  • How to use partial trust in your web application.
  • How to create custom trust policy for your web application.
  • How to use code access security in hosting scenarios.


  • How to choose protocol, security and communication-style for communication between web application layers.
  • How to secure sensitive data that is sent across the network.
  • How to choose between message security and transport security.
  • How to secure inter-role (IPC) comm.
  • How to handle interruptions in access to cloud applications.
  • How to interact with non cloud applications that require fixed IP address.

Data Access

  • How to connect to a DB via integrated security
  • How to connect to DB via Standard SQL security
  • How to secure Azure SQL db login (AuthN)
  • How to secure Azure SQL db access (AuthZ)
  • How to secure your application from SQL injection.
  • How to encrypt your connection strings.
  • How to use least-privileged accounts for database access.
  • How to choose authentication option for data access.
  • How to validate un-trusted input passed to your data access methods.

Exception Management

  • How to choose exception management strategy.
  • How to scrub exception message for secure exception handling.
  • How to deal with sensitive information when handling the exception.
  • How to deal with unhandled exceptions

Session Mgmt

  • How to choose a state store.
  • How to identify the data to be stored in session store.
  • How to handle session state in a single Web server scenario.
  • How to handle session state in web farm scenario.
  • How to secure your session store


  • How to identify trust boundaries within Web application layers for validation.
  • How to design your validation strategy to constrain, reject, and sanitize malicious input.
  • How to efficiently and securely validate input data.
  • How to secure Ajax validation.

Last edited Aug 22, 2009 at 1:01 AM by paulenfield, version 2


No comments yet.