List of Figures

Chapter 1: Encryption

Figure 1-1: Encrypting and decrypting a secret message

Figure 1-2: SHA-1 hash digests

Figure 1-3: Private key encryption

Figure 1-4: Public key encryption and decryption

Chapter 2: Role-Based Authorization

Figure 2-1: Employees and roles

Figure 2-2: Buttons are hidden based on roles

Figure 2-3: Jane’s permissions

Chapter 3: Code-Access Security

Figure 3-1: An attempt to perform an action must pass through several security checks

Figure 3-2: Standard symbols representing each zone

Figure 3-3: The Opening Mail Attachment warning dialog box

Chapter 4: ASP.NET Authentication

Figure 4-1: Forms authentication

Chapter 5: Securing Web Applications

Figure 5-1: 13 hops to Yahoo

Figure 5-2: Intercepting TCP/IP packets

Figure 5-3: Trusted certificate authorities in Internet Explorer

Chapter 6: Application Attacks and How to Avoid Them

Figure 6-1: The user name and password fields injected by the attacker’s user name

Chapter 7: Validating Input

Figure 7-1: The error displayed by the RegularExpressionValidator control

Chapter 8: Handling Exceptions

Figure 8-1: View the event log on a user’s computer

Chapter 9: Testing for Attack- Resistant Code

Figure 9-1: An attacker’s blueprint of your application

Figure 9-2: The sample test page to be viewed by WebTester

Figure 9-3: Five steps to get a hacker’s view of your Web page

Figure 9-4: A hacker’s view of your ASP.NET-generated Web page

Chapter 10: Securing Your Application for Deployment

Figure 10-1: Elements of an X.509 certificate.

Chapter 11: Locking Down Windows, Internet Information Services, and .NET

Figure 11-1: The Microsoft Baseline Security Analyzer

Figure 11-2: The IIS Lockdown tool

Chapter 12: Securing Databases

Figure 12-1: Results of three identifier methods

Figure 12-2: Adding a user to a database

Figure 12-3: Securing VBA code in a Microsoft Access database

Figure 12-4: Turn on auditing in SQL Server Enterprise Manager

Chapter 13: Ten Steps to Designing a Secure Enterprise System

Figure 13-1: Secure Web application architecture 1

Figure 13-2: Secure Web application architecture 2

Figure 13-3: Secure intranet Web architecture

Figure 13-4: Secure client-server architecture

Figure 13-5: What is the right decision?

Figure 13-6: Give the user a chance to back out

Chapter 15: Threat Analysis Exercise

Figure 15-1: Employee management system Web design diagram for user logon scenario

Chapter 16: Future Trends

Figure 16-1: Press the button to flood the town below

Appendix A: Guide to the Code Samples

Figure A-1: The frmLogin form

Figure A-2: The frmDashboard form

Figure A-3: The frmMyInfo form

Figure A-4: The frmAddNew form

Figure A-5: The frmRemoveUser form

Figure A-6: The frmManage form

Figure A-7: The default.aspx Web form

Figure A-8: The login.aspx Web form

Figure A-9: Voila! The page finally opens

Figure A-10: Editing a profile

Figure A-11: Encryption Demo

Figure A-12: Changing the Passport environment to pre-production

Figure A-13: EmployeeDatabase data model