Chapter 19. .NET Code Security

IN THE OLD DAYSback in the 20th centurythe primary way that we got software onto our machines went something like this: Go to software store; buy shrink-wrapped box containing disks; insert said disks into machine; install software. If that is the only way you put software on your machine, it is pretty hard to get a computer virusnot impossible, but pretty hard.

That world is long gone; code in the 21st century is both highly mobile and highly componentized. Generally, "monolithic" applications such as Word and Excel now make extensive use of third-party components and store customized code behind documents. Many machines are constantly connected to the Internet, a worldwide network chock full of evil hackers.

Ubiquitous networking and rich customization of everything from Web pages to spreadsheets are undoubtedly enabling technologies, but they come with the price of an enormous increase in the size of the attack surface available to malicious attackers. Anyone who has ever received a mass-mail virus e-mail or been infected by an Excel macro virus knows of what we speak!

Fortunately, the .NET Framework was designed from day one to provide tools to help mitigate the vulnerabilities inherent in modern software. This chapter starts with an overview of the .NET security system to explain some key concepts. Then the chapter takes a detailed look at how to use the .NET security system to keep yourself and your users productive while keeping attackers unproductive.

This discussion is especially relevant to VSTO because VSTO has the security model that no code is allowed to run by default. You always have to configure the .NET security system to trust a VSTO customization or add-in you build before it will run on a user's machine.