What an emotive subject!

Must be Friday afternoon (well it is here - and I wont' get a surf in
today!!!)

-----Original Message-----
From: Morgan, Rob [mailto:Rob.Morgan@o...]
Sent: 16 February 2001 15:09
To: Security_asp
Subject: RE: security information


I get tired of people making general statements like "the whole setup is
extremely insecure, that ASP is a major security risk".  That's like saying
banks are insecure because I can walk in with a gun.  We all know nothing is
secure. It's all based on a risk factors and eliminating those risks that
are inappropriate for the application that it's being used for.

I know this doesn't help, but I just had to vent. I would ask specifically
what the concerns are and address them as facts not hear say. Of course you
can use the http://www.microsoft.com/security/default.asp site to help you.



-----Original Message-----
From: Taylor, Mark [mailto:mtaylor@m...]
Sent: Friday, February 16, 2001 8:06 AM
To: Security_asp
Subject: security information


Hi All

We have developed a huge intranet application using ASP in the 3-tier
architecture using Active-X components (sitting on SQL Server 7.0).  The
corporate that is running the application now says that the whole setup is
extremely insecure, that ASP is a major security risk, especially active-x.

Does anybody out there have any resources for me to be able to:
	a) test the application and server
	b) provide information to the client proving that the technology is
secure.

There are a lot of people here that would prefer to see us developing in
Java.

Thanks,
Mark

PS I have tried some of the easily available hacks like iishack, and I have
gone to lengths to stop cross-site scripting, but I need more...