| These days, whenever a new technology platform is released, or even if a major upgrade is released, the question of how secure it is comes up frequently. The question is valid in this Internet-enabled distributed-computing age; it is quite common to see scenarios where applications are either accessed remotely within the company's intranet, within the company's trusted partner's extranet, or by the general customers, through the Internet. This notion of having applications accessed by outsiders highlights the need for security, to prevent a security attack on important or private information. In particular, typical security requirements of a .NET application can be divided into the following categories: -
Physical Security ” Physical security of the computer that provides access to the application is probably one of the most important aspects of security. Although physical security is not enough, particularly in the days of network computing, it is still required to prevent any direct unauthorized access to the physical server or workstation that runs the application. -
Authentication ” Only allow authorized users to access the system. In Windows applications, authentication is typically done by the application itself checking the identity of the user (using an authentication mechanism such as user ID/password, a hardware token (for example, SecureID, Digital Certificate) against a known list of users, typically specified in a user directory. For Web applications, (as highlighted in Chapter 8, "Developing Web Applications with ASP.NET," a standard mechanism based on a configuration file exists. -
Authorization ” After the user has been authenticated, he or she typically falls into a category of users that have certain privileges in the system. -
Encryption ” Encryption is required for two scenarios: First, sensitive information such as credit card data is typically stored in databases in an encrypted fashion using either a public/private key “based asymmetric encryption algorithm or by using a symmetric key encryption mechanism. The .NET Framework class library contains a set of cryptography classes that can be used to assist in the encryption process. The second requirement for encryption is for maintaining the communication channel between the user's desktop and the back-end server (Web server or application server). This is typically handled using a secure protocol, such as HTTPS, which uses public/private key “based digital certificates to encrypt the underlying communication channel. For instance, Web services can also be accessed securely by using the HTTPS communication channel. -
Code Validation/Verification ” Typically done by core CLR, the verification process validates the correctness of the file format (as per the Platform Executable specification) and type safety verification. For instance, it makes sure that the pointers have valid destinations. -
Security Best Practices ” All the preceding security requirements and their respective solutions are enablers for secure applications. As developers and administrators of these applications, the onus is on us to use them carefully . For instance, a typical best practice that is followed in any application is to automatically time out when no user activity occurs for a certain length of time. Another best practice is to enforce strong and frequently changed passwords, using policies and controls. Some of these best practices are very particular to the mode of application deployment; for instance, a key security best practice in Web applications is to validate all input values in forms so that malicious code in the form of input values cannot be passed and executed on the underlying system. -
Code Access Security ” In addition to the previous set of security requirements, a key requirement that exists specifically in scenarios where code is dynamically downloaded onto a user's workstation (or a server, for instance, accessing a remote shared assembly), is to ensure that the downloadable code doesn't get unauthorized access to the user's desktop (or the server). As you will learn in this chapter, the .NET Framework introduces the notion of Code Access Security to solve this particular problem. |
