Chapter 1: Understanding .NET Security | .NET Development Security Solutions

Overview

Understanding the .NET Framework Security Enhancements
Defining the Security Issues .NET Doesn’t Handle
.NET Framework Architectural Considerations

Read any trade press magazine and you’ll likely run into one or two articles that consider the latest security threat, at least one about the latest security break-in, and several concerning the latest virus. All of these articles make it sound as if every piece of software you own is under attack. In many ways, your software is under attack—even the software you write. Crackers aren’t particular; they’ll use any hole they find to get into your system and cause damage.

Note

For the purposes of this book, the term cracker will refer to an individual that’s breaking into a system on an unauthorized basis. This includes any form of illegal activity on the system. On the other hand, the term hacker will refer to someone who performs authorized (legal) low-level system activities, including testing system security. Hackers also help find undocumented solutions to many computer needs and create workarounds for both hardware and software problems. In some cases, you need to employ the services of a good hacker to test the security measures you have in place, or suffer the consequences of a break-in.

The problem with most software now is that it was written before security threats like the ones today were known. In addition, many developers went to school at a time when security courses were rare or nonexistent. Microsoft is hoping to help with the developer training problem at least. As part of their Trustworthy Computing Initiative, Microsoft recently sponsored a new type of security class at the University of Leeds in England (see http://www.infoworld.com/article/03/03/21/HNmsteachhack_1.html for details on this story). The thing I find interesting about this course is that it employs hacking as part of the curriculum so the students can actually see both the positive and negative parts of applied security.

This chapter provides an overview of what the .NET Framework can do and what it can’t do to secure your systems. The book will discuss both the positive and the negative issues of using .NET as a security solution. You may be surprised to learn that .NET isn’t a total solution—that there are many areas of your system that it can’t protect. A realistic and honest evaluation of any security technology must include both elements. However, you’ll also learn that the .NET Framework provides many options not available in previous Windows technologies and that’s a step in the right direction.

Along with the practical issues of data and infrastructure protection, this chapter discusses a few necessary theoretical details. For example, you’ll learn some new information about the .NET Framework security architecture. I refer you to existing details in the help file and various Web sites to fill in the areas that other sources have already discussed to death.

Finally, you’ll see a few simple coding examples that demonstrate specific coding concepts. The examples in this chapter focus on usability or architectural issues. Chapter 2 actually begins showing how to use the .NET Framework namespaces and classes to create secure applications. Consider the examples in this chapter a preview of the information to come. They’re also simpler than the examples that follow—this is a starting point.

Note

All of the examples for this book are available in both Visual Basic and Visual C#. However, most of the code in the text will appear in Visual C# for consistency reasons. I’ll provide you with Visual Basic differences as needed. Otherwise, you can assume the principles I show in Visual C# translate directly to Visual Basic.