I am looking to rent a VPS server to host a game server, MySQL database and an ASP.NET site on it. A Windows server is too expensive for me but Mono-Project for Ubuntu does everything that I need it to do. Question is - is it as secured as running the ASP.NET site on Windows? Are there any security issues? I need to secure my site really well because it is going to have a database with sensitive user info, including passwords. I will also be using libraries with my ASP.NET site if it matters (such as MySQL connector for dot net and BCrypt.Net)
Asked
Active
Viewed 979 times
2 Answers
1
One rule specialy true in software development is the simpler the better. Each time you add a complex system (OS, library, framework), you must wonder about its security level with 2 different points of view:
- does the design present security problems? (typically how is the data hosted and accessed, how is authentication and authorization processed, what is the complexity of the configuration)
- what is the risk that the system contains implementation flaws?
That second question is often hard to answer and is often not much than a bet but is important. As far as I am concerned I try to know what the reputation is, and look at the bug list for open source systems. Its size, the kind of bugs and time of resolution scheds some light on the risk of security flaws. The following is no more than my opinion:
- Ubuntu is a serious OS, based on Debian Linux and has a pretty good reputation. Its configuration to obtain a standard server security level requires some work (it is by default a workstation system) but it is not much harder than Windows
- Mono is a framework that port the NET API to the non Microsoft world. I am not an expert on it but I would be afraid that its developpers cared more for functionalities than security. You should examine the current bug list to make your own opinion. IMHO this is the key point for your question.
But using a correct underlying platform is far from being enough to build a secure web application. Many problems can come (and often do) from the way the application itself is designed and implemented. And anyway, I must secure it really shows that you are concerned with security which is a good start point, but best practices recommend to do a true security analysis:
- what are the threats
- what are the current weaknesses
- what are the security requirements
Only the anwsers to those question will allow you to secure the application according to its requirement.
Serge Ballesta
- 25,636
- 4
- 42
- 84
-2
You have to review OWASP TOP 10 Guidelines , and secure your code while you write it ,after you done you have to install WAF (Web application firewall) & check your windows server configuration (hardening) then you have to find someone who can make Penetration testing and security assessment for your server & web app before you make it publicly ..
-
*"check your windows server configuration"* The OP is using Linux, not Windows. Actually it was the core of his question whether using ASP on Linux instead of Windows creates new risks which, I think, is not really answered by your post. – WhiteWinterWolf Jul 23 '17 at 09:24