No matter how secure your server is, if the applications that it hosts are not programmed according to best security practices, your network might be vulnerable to attacks. As part of a defense-in-depth strategy, IIS administrators should work with developers to ensure that the code that the server running IIS hosts is as secure as possible. For example, developers can reduce the risk of certain types of attacks, such as cross-site scripting and SQL injection, by validating user input.

Cross-site scripting occurs when an attacker sends a link in e-mail to a user or otherwise points the user to a Web site, and the link actually contains malicious script code, which can be VBScript or JScript. As a result of cross-site scripting, an attacker ...