Introduction

This book is an introduction to security for Visual Basic programmers. You’ll find it useful both as a prescriptive guide for writing secure applications and as a technical reference for how to actually implement security techniques in your own code. For example, in Chapter 1, “Encryption,” we explain what encryption is and when to use the different types of encryption, and we provide examples that show you how to actually encrypt and decrypt information.

Although there is already a wealth of information available about security, very little has been written that targets the Visual Basic programmer. In writing this book, we set out to change this. We have followed three principles that make this book better for the Visual Basic programmer than any other publication you will find on security:

• Make it simple Many security publications are shrouded in hard- to-understand jargon and difficult-to-work-out acronyms, and they assume you already have a background in security. This book is different: we spell out every acronym, use easy-to-understand language, and explain in clear terms each security concept.

• Clear guidance Some security books explain security techniques without telling you where or where not to use them. This book is different: we offer clear guidance on how, when, and where you should use each security technique.

• Complete assistance Although this is an introductory-level book, it covers everything from coding techniques to designing a secure architecture to performing a security audit. Our intention was to provide an end-to-end introductory guide for producing secure applications.

How to Use This Book

The authors of this book, like you, are Visual Basic programmers. We use straight, no- nonsense talk, offer clear and simple solutions, and provide step- by-step examples—written entirely in Visual Basic, of course. To make it easier to find what you’re looking for, this book is divided into four sections, each section dealing with a different aspect of security:

• Section 1 jumps straight into programming techniques such as encryption, role-based security, code access security, Microsoft ASP.NET authentication, and securing Web applications.

• Section 2 is about identifying threats to your Visual Basic .NET application and neutralizing them by safe-guarding input, properly handling exceptions, and testing your application for security vulnerabilities.

• Section 3 discusses how to lock down the environments that your application runs in or depends upon such as the Microsoft Windows operating system, Internet Information Services, .NET runtime, Microsoft SQL Server, and Microsoft Access databases. In addition, this section discusses how to lock down your application for deployment.

• Section 4 focuses on architecture, how to design secure systems, perform a security audit of your application, come up with a contingency plan, and execute the contingency plan if an intruder does make his or her way past the security measures you have put into place.

Microsoft Visual Basic .NET is built on a number of technologies, including the .NET platform, Microsoft Visual Studio .NET, and of course the Microsoft Visual Basic .NET compiler. For the sake of simplicity and brevity, unless the distinction is important, we refer to all of these technologies collectively as Microsoft Visual Basic .NET. As a Microsoft Visual Basic .NET developer, you don’t need to think about these composite technologies to get your job done.