Locating the Security Information You Need | .NET Development Security Solutions

Security information changes almost daily as security threats change. As crackers discover new holes, and vendors come up with new fixes for those holes, your security outlook changes as well. Various updates, new technologies, and revised strategies affect how you handle various security issues and may mean changing application code to meet new security threats. In short, just keeping up with security issues could be a full-time job. Needless to say, paper documentation is a little too permanent for some security requirements, which means looking for what you need online.

Trade press magazines and newsletters are helpful for keeping you up-to-date. It’s also important to check the Microsoft Knowledge Base (http://search.support.microsoft.com/search/default.aspx) from time to time. You can use the Knowledge Base to search for new articles published within a given timeframe. (Just fill in the dates you’re interested in viewing in the form supplied—you can also look for terms, such as security.) Between these two sources, you can obtain information about major security threats. The following sections discuss specific security information needs and tell you where to find additional information.

Dealing with Patches

The most important nonprogramming-related security consideration is applying patches to your development machine. Yet, most developers don’t install patches because they feel it’s a waste of time. After all, they don’t use their machine for production work and there’s a good chance they’ll format the machine’s hard drive after the current project. The problem is that if your machine doesn’t contain all of the required security patches, a virus could infect it. In addition, testing your program without having the patches in place means you don’t actually know how your program will work on the client machine.

Unfortunately, knowing about a security threat isn’t always enough. Even if you download and install a patch on your development machine, it’s not always safe to assume that the user of your application will do the same. Therefore, you need to know how to check for the patches if the patch will affect your application in some way. Consequently, the second part of a good machine setup is ensuring the user has the same patches you do and keeps their machine updated. Here are some URLs you’ll want to check for ideas on locating patches.

Windows Update (http://windowsupdate.microsoft.com/) This is the definitive site to look for patches for your system. It’s automatic and has a relatively easy-to-use interface. The problem with this site is that it isn’t always current. You may find that it doesn’t list all of the patches you need. For example, this site doesn’t list any patches needed for your development product—just those needed for the operating system.

Hotfix & Security Bulletin Service (http://www.microsoft.com/technet/security/current.asp) The best place to locate patches for your machine is this service. Microsoft keeps it updated with information that may not even appear on the Windows Update site. In addition, the easy-to-use interface means that most users can understand the site and use it to keep their machine updated. The list of updates you receive appears in date order, making it easy to figure out which updates you need to download. You can also look for products besides Windows, such as Visual Studio .NET.

Security Guide for Windows (http://www.winguides.com/security/) The sometimes bizarre language used to write Microsoft security guides is difficult for many people to understand. This site puts the information you need in plain English. It lists the updates by product type and date. You won’t find Visual Studio here, but you can find all of the other products you’ve used to set up your development workstation and server.

One interesting resource that you’ll want to read is the SANS Institute article entitled, “Microsoft Windows Security Patches” (http://www.sans.org/rr/win/patches.php). This article not only points out where to get the patches, but also why they’re important. It’s the kind of article that you’ll want to keep for reference.

Locating General Security Tips for Everyone

Once you have a safe environment for your application, you still need to use safe coding practices to ensure the program will work as anticipated. Some coding practices are timeless, and you can use them with any programming language, or operating system for that matter. For example, you always want to check user input to ensure it’s the right kind of input within the correct range, and doesn’t violate any rules. In fact, if you look at many of the latest security issues for common applications, you’ll find that problems such as buffer overruns are quite common across all applications and all operating systems. (See Chapter 3 for a list of common problems that you can easily avoid when writing a .NET application.) Here are some Web sites that provide general security information that anyone can use.

Der Keiler (http://www.der-keiler.de/) This site (“Wild Boar” in English) provides a number of English-language mailing lists where you can ask specific security questions. In some cases, you’ll also find information on security exploits that includes code and the potential fix. The exploits are things you commonly see in applications such as SQL Server.

IT World (http://www.itworld.com/AppDev/) This site provides links to news stories from a number of trade magazines. The feature that makes this site so interesting is that you can drill down to specific topic areas. The link provided takes you to the general application development area. From there, you can drill down to Security Techniques and from there to topics such as Passwords. The organization of this site helps you locate information on a given topic quickly.

Microsoft Developer Network (http://msdn.microsoft.com/security/) Although it seems like an obvious place to start, many people assume that Microsoft doesn’t know anything about security. Actually, the developers at Microsoft have written a number of useful articles about security—more than you’ll find elsewhere.

Sometimes a single article can provide the wealth of general information you need to code more effectively. For example, the SANS Institute article entitled, “The Foundation to Secure Computing” provides general security advice that could fit any situation (http://www.sans.org/rr/code/sec_programming.php). This particular article comes with a list of interesting links that you can use for further research.

One of the best pieces I’ve read about security is the MSDN Magazine article entitled, “Defend Your Code with Top Ten Security Tips Every Developer Must Know” (http://msdn.microsoft.com/msdnmag/issues/02/09/SecurityTips/default.aspx). This article relies heavily on Visual C++ and Visual C#, but the ideas it conveys are universal.

Finding .NET Framework Specific Security Tips

Finally, you must consider specific .NET Framework threats. This book helps you understand these threats and demonstrates methods for overcoming them. As time progresses, I’ll learn new information and post it on my Web site at http://www.mwt.net/~jmueller/. Make sure you tell me about any new threats you learn about using my email address JMueller@mwt.net. Security is a rather large area, though, and you’ll want to know about other general .NET security Web sites. Here are some you should consider adding to your favorites list, if you haven’t already.

The Code Project (http://www.codeproject.com/) This site contains a wealth of well-documented programming examples written by other developers. In general, you’ll find the examples are somewhat specific, but you can use the principles they teach in your own code. Unfortunately, the owner hasn’t organized this site by topic area, so you’ll need to search for the security topics. A search for .NET security returned 91 hits as of the time of this writing, so you have a lot from which to choose.

Microsoft .NET Specific Security (http://msdn.microsoft.com/net/security/) In addition to the general security topics you can find on Microsoft’s MSDN Web site, you can also find .NET specific topics. They’re located in a separate section from the general security topics.

.NET 247 (http://www.dotnet247.com/) One of the more interesting features of this Web site is that it includes a complete list of the .NET Framework namespaces and classes. Click on the links to find articles for that particular element. However, this site also provides articles listed by topic area. Many of the articles are ranked by importance, making it easier to choose the article you want to read.

Most security articles you read contain verifiable information written by conscientious authors. However, it’s still important to verify information you receive from the press, a Web site, a friend, or anywhere else for that matter. A report could tell you that a security exploit exists when it doesn’t, or provide news of a technique that doesn’t actually work. In some cases, Microsoft’s Web site will refute a particular charge of vulnerability. One such case is a complaint about the Visual C++ .NET compiler security in a Cigital article entitled, “Microsoft Compiler Flaw Technical Note” at http://www.cigital.com/news/index.php?pg=art&artid=70. You’ll find Microsoft’s refutation at http://msdn.microsoft.com/visualc/compiler.asp. You can derive quite a bit of information from both articles, but here’s the crux of the matter. The Buffer Security Checking feature of Visual C++ can’t protect you from every kind of buffer overflow, so good coding practice is always required. However, anyone who wants to create great applications always uses good coding practices anyway. The fact of the matter is that you might get the wrong idea from Microsoft’s original documentation and let down your guard—that’s always fatal when it comes to security. Never let anyone tell you that you can get by with less than your best effort.