Guarding Against Attacks in the Real World


The rapid advancement and spread of information technology give rise to new types of threats. For example, the advancement and spread of Web and e-mail technologies expose anyone using these technologies to the threat of worms or macro viruses such as the highly publicized Melissa, I Love You, Code Red, Nimda, and most recently SQLSlammer viruses, to name a few. Ironically, the technology providing so many great benefits—such as the ability to send e-mails with rich HTML content to anyone in the world—is the same technology responsible for the worldwide spread of viruses and shutting down of corporate networks for days at a time. In many cases, flaws in the technology, such as buffer overrun vulnerabilities, create opportunities for viruses to take hold and spread.

How did such vulnerabilities get introduced in the first place? In many cases, the developers who wrote the code for components exposed to the Internet did not do an adequate job of protecting their code against unexpected input, such as data exceeding the size of a buffer. Tools such as C and C++ that are used to create these components are partially to blame for allowing developers to write code that is inherently flawed.

Visual Basic .NET, and moreover the .NET Framework, was developed in response to the need for development tools to do a better job of protecting your code against known threats. For example, the .NET Framework addresses the issue of buffer overflows by not allowing you to write code (in any .NET language) inherently at risk to a buffer overflow. However, as demonstrated in this chapter, the .NET Framework does not protect you against all types of threats. For example, the .NET Framework does not offer automatic protection against SQL-injection attacks—although with the release of Visual Basic .NET 2003, strides have been made to protect your code against cross-site scripting attacks.

Welcomed advancements in tools that protect your code against known vulnerabilities are a step in the right direction. However, the ability of programming languages (and associated run-time environments such as the .NET runtime) to keep ahead (let alone keep pace) of the ever changing set of threats brought on by advancing technology is impossible. The responsibility is borne by you, the developer, to ensure that the code you write is as resilient as possible against all forms of attack.




Security for Microsoft Visual Basic  .NET
Security for Microsoft Visual Basic .NET
ISBN: 735619190
EAN: N/A
Year: 2003
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net