Summary

The .NET Framework is not the solution to all software security problems. However, it does provide some great benefits to current mainstream practices. It provides two new code download mechanisms ”direct execution of assemblies and browser-hosted controls. These two mechanisms provide a unique balance of overall power and security. For general-purpose software development and deployment, the .NET Framework provides a great mechanism for developers and administrators.

The .NET Framework addresses some networked computing software problems better than others:

• The default configuration of the framework is designed to be secure, so installing the framework doesn't require additional lockdown steps.

• Buffer overruns can be nearly eliminated by using verifiable managed code.

• Canonicalization bugs in applications cannot be completely removed using the .NET Framework. However, the framework does provide functionality to help eliminate canonicalization bugs .

• The .NET Framework attempts to prevent the leaking of information known to be sensitive. Applications written on the .NET Framework can still leak information, though.

• Denial-of-service issues are simply not handled well by the .NET Framework. You need to keep this in mind if your .NET Framework hosts are designed to run partially trusted code.

Overall, we hope that you have come to see the unique power of .NET Framework security. While it isn't a panacea for security problems on the Internet, it does provide some value not available with other mainstream software development environments.