Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Test</strong>ing for Security Best Practices 125<br />
Table 1: Logging Application Block Assets<br />
Assets<br />
Assemblies<br />
Resource files<br />
Configuration files<br />
Configuration value objects<br />
Database<br />
Database connection<br />
string<br />
File system log files<br />
SMTP server<br />
Message queues and<br />
distributor service<br />
Event log<br />
Vulnerabilities<br />
You should protect the Logging Application Block assemblies from<br />
malicious users who could tamper with them, replace them with<br />
other assemblies, or override them with other assemblies.<br />
Resource files contain static error messages. You should protect<br />
them from unauthorized read/write operations.<br />
The configuration files contain separate sections for each application<br />
block and for the instrumentation. This is sensitive data that<br />
you should protect from unauthorized read/write operations.<br />
The configuration value objects hold configuration information<br />
in memory. Configuration data is sensitive information that you<br />
should protect from unauthorized read/write operations.<br />
The Logging Application Block exposes interfaces that allow you<br />
to use the Data Access Application Block to log messages to a<br />
database. This information may be sensitive and unauthorized<br />
users should not be allowed to see it. This may also true of other<br />
information in the database. Also, you should protect the database<br />
from unauthorized read/write operations.<br />
The Logging Application Block uses the Data Access Application<br />
Block to log information to a database. The Data Access Application<br />
Block uses a connection string that is specified in the configuration<br />
file to access the database. This file stores the connection<br />
string as plaintext. The connection string can include a server<br />
name, a database name, a user ID, and a password. You should<br />
protect this information from unauthorized read/write operations.<br />
The Logging Application Block exposes interfaces that allow you to<br />
log messages to a log file. These messages may contain sensitive<br />
information. You should use access control lists (ACL) or encryption<br />
to protect the log file from unauthorized read/write operations.<br />
The Logging Application Block exposes interfaces that allow you to<br />
use an SMTP server to send e-mail. Malicious users can use the<br />
server to send unsolicited e-mail messages. You should protect the<br />
SMTP server from unauthorized access.<br />
The Logging Application Block exposes interfaces that allow you to<br />
place log messages in a Message Queuing queue and distribute<br />
them to trace listeners. These messages may contain sensitive<br />
information. You should protect the queue and the messages from<br />
unauthorized read/write operations.<br />
The Logging Application Block exposes interfaces that allow you<br />
to log messages in the event log. These messages may contain<br />
sensitive information. You should protect them from unauthorized<br />
read/write operations.<br />
continued