asp.net website...going live soon...how keep it safe?

[petejk]

I just finshed coding my new business idea in .net.

It took about 4 months and countless hours. I don't want my site to get hacked,
code stolen, etc...

-I have try/catches in my code
-All exceptions are e-mailed to me when they occur
-I have Tinyfirewall running and only allowing traffic on port 80
-I have parameterized my SQL statements and use alot of Regular Expressessions
for validation.
-No one has access to telnet or ftp and there is no windows file sharing.

What else should I be doing to keep my code/site safe?
All backhats/whitehats respond please!

Thanks!!!

 

[MrChad]

Are you running on Server 2003 SP1 with the latest security updates applied? How frequently is the server patched? Have you run baseline security analyzer on your server?

 

[petejk]

It is a Windows 2000 Server box with the lastest Service Packs/hotfixes.
I also ran the IIS Lockdown tool as well.

I have not run the Baseline Security Analyzer...I will do that later tonight. Good Idea.

 

[Drakkon]

whats the website ?

Sounds like you've done jsutabout all you can do apart from putting it behind a hardware firewall...just make sure the server stays up to date on the latest exploits and u should be ok on the hacking end
On the code end sounds like you need quiet a bit of data checking (although I'm sure there is a ton there sounds like if your using reg exp, which so long as you have no * on the end should be okay - dont want to allow for those buffer overflows ) and just make sure if people input anything (even in the get/post header) your prog wont be attributing those values to anything.

 

[petejk]

there's alot...but i'm going to go through it with a fine tooth comb...i'm sure some stuff will crop up.

thanks for the reply!

 

[petejk]

bump for the afternoon peeps

 

[notfred]

Make sure that every single possible input string is validated server-side.