Assignment 2

You are still working in the same large organization as a Security Analyst. The organization is

still firmly resolved to develop and install home grown applications using ASP.NET

development platform. As a key member of the development team you must be involved in all

aspect of application security. Now, when the pilot project is rolled out into production, you are

set to deal with several concerns, related to the newly developed code. The pilot application is an

e-commerce system, designed to sell home-designed and produced products.

Here are the major concerns. You must address these concerns and give a way of resolving them

to everyones satisfaction:

ASP.NET application is using a small credit card processor for credit card sales.

Developers, who wrote the bridge with the provider software, decided that it might be

easier to store the transaction key in the ViewState because most of the related operations

are performed on the same page. The sales personnel reconciling transactions with the

bank noticed that some of the transactions were completed successfully but the bank has

no record of funds transfer.

Your system administration team has invested in the monitoring software, which would

alert them if the error occurred in the application. This software is tightly integrated with

all windows administration features. However, the architect of the system insisted on

using log4net for recording exceptions. The administration software does not work with

log4net and another solution may be required.

When looking at the database you noticed that user table contains a field for password.

The architect of the system claims that the password is properly hashed. However, you

noticed that architect insisted on using a proprietary hashing mechanism he learned in

school. Can you suggest a better hashing solution using .NET only? Please, explain why

it is good.

You also noticed that credit cards for the users are encrypted. The problem with this

solution is that key is stored in the administration table in the database. The architect tells

you that there is a policy to change the key every so often, but you are not at all satisfied

with suc