Security Features in .NET

Security in .NET involves many features, but they fall generally into three major areas.

1. Internal Security. Classes and class members in .NET can be protected via user-based or role-based security. This Code Access Security (CAS) exists to keep unauthorized users from accessing powerful libraries of .NET features. Only those users meeting a minimum or specific set of rights can use those protected features.

2. External Security. Because anyone can develop and distribute a .NET application, it's important to protect system resources from malicious code. This is a big issue, especially with the ongoing reports of hackers taking advantage of "buffer overrun" problems in released software from Microsoft and other vendors. Just as CAS keeps code from accessing certain features of a class, it interacts with the operating system to keep rogue code from accessing some or all files and directories, registry entries, network resources, hardware peripherals, or other .NET assemblies based on in-effect security policies.

3. Data Security. Programs and computer resources aren't the only things that need to be protected. Some highfalutin users think that their precious data is so important, that it deserves to be protected through "special" software means. Encryption, digital signatures, and other cryptographic features provide the "special" support needed for such data.

Because the Library Project interacts with a major external resourcea SQL Server databaseit does deal with External Security issues, although indirectly through ADO.NET and system security policies. Still, because of this book's focus on typical business application development, this chapter will not discuss either internal security or external security issues. Instead, it will focus on data security topics, especially the encryption of data.