Chapter 9. Adding Security to Your Applications

In the days preceding the Internet, computing devices were islands of functionality with little interconnectivity. Nowadays, it is hard to tell whether a device is "on the network" even if all cables to it are unplugged. In order for the device to be useful, at least one software entity must be running ”and then this device is a candidate for attack via the same channels and primitives that enable connectivity for that software entity.

When computing devices were invented, software functionality and features were the prime areas of consumer interest. Today, the same consumers seek trust in the feature-rich software that they use.

Management in application development houses has traditionally viewed security as a non-revenue-generating component of the development process. But with the paradigm shift to seamless connectivity   la Web services, security has become an important component of software return on investment because compromises in this area can hurt a company's reputation.

This chapter touches on Visual Basic .NET security programming concepts and techniques ”some of which are specific to the .NET Framework. For a broad treatment of security programming, including application threat modeling using the STRIDE model, see Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press, 2003).