Articles filed in category 'Security'

Ken Getz' .Finalize() column.

Ken Getz' .Finalize() column.

Web services are all about connecting businesses in a standard and secure manner.For a real-life Web service, security is intrinsic to every facet of operation and no party would ever agree to interact with a non-secure Web service. Unfortunately, Web services security is still in its infancy; standards such as WS-I are just emerging and there is no built-in support in the development tools for them. That being said, there are quite a few programming techniques you can u...se today in .NET 1.1 to secure your Web services, and do so in a way that will ease the transition to future standards and protocols.See More

IT professionals agree that input is a big source of trouble. Input ultimately determines how applications work and wrong or malicious input may cause serious damage. It is extremely important that developers have this fact firmly in mind and consequently apply adequate countermeasures. Starting from the perspective that all input is evil is a good approach. Reasoning in terms of a whitelist instead of a blacklist is another excellent strategy. Working with strongly type...d data is the third pillar of secure applications. This article discusses the role of input data and related attacks in the context of ASP.NET applications.See More

Markus Egger talks about developing secure applications.

.NET provides new tools to make deployment of fat client .NET applications easier.This article describes the basics of .NET Auto-Deployment technology and the security mechanism that prevents users from inadvertently running code distributed by hackers and virus writers.

I give up! I can’t really explain how the cloud works unless I cover the topic of authentication in the cloud first. If I didn’t tackle this topic first, I could only explain boring unauthenticated applications. The issue is, for all practical purposes the authentication fit for the cloud is claims based. There is no worldwide active directory you can rely on. There is no single aspnetdb.mdf database. What’s more, there are many kinds of authentications already - Faceboo...k, Twitter, Google, OpenID, Windows Live ID, etc. See More

COM+ gives the developer a way to build a flexible and powerful security system into applications without having to write a lot of custom code.This article will examine how to leverage the power of the COM+ security model.

Microsoft’s Azure platform has finally been released into production. This new entry into the cloud computing market provides .NET developers with a scalable, robust platform for developing applications.After over a year in CTP, Azure is finally ready for prime time. At PDC 2009, Microsoft announced the release of new components, such as the management API, that make Azure worth considering for use in production environments. In this article, I’ll demonstrate how to use ...the different components of Azure Services to build a self-scaling application.See More

In real-world applications you just can't do without encryption.The problem with cryptography, though, is that sometimes it may make you use an overly complex API. The .NET Framework classes for cryptography don't require you to become an expert mathematician or a cryptography guru. In the .NET Framework you'll find symmetric and asymmetric cryptographic providers as well as hash providers. Some of these provider classes end up calling into the unmanaged CryptoAPI librar...y while other parts of the .NET cryptography solution are purely managed code.See More

Sahil pours his vast SharePoint prowess into building apps that put languages on equal footings with one another.

Windows Communication Foundation (WCF) is a secure, reliable, and scalable messaging platform for the .NET Framework 3.0.With WCF, SOAP messages can be transmitted over a variety of supported protocols including IPC (named pipes), TCP, HTTP and MSMQ. Like any distributed messaging platform, you must establish security policies for protecting messages and for authenticating and authorizing calls. This article will discuss how WCF accomplishes this.

Since the release of .NET 1.0 more than ten years ago, the classes governing identity have remained unchanged. That’s a good thing, because identity and security is at the core of most applications, so you don’t want that to change very often. However, with the release of .NET 4.5, the identity model has changed significantly.

David Stevenson interviews Steve Lipner, Microsoft's Director of Security Assurance; the article discusses how Microsoft is implementing security in their applications.

Software piracy runs rampant these days! You need to protect your code using a good licensing scheme and obfuscation. If you develop software for a living (and since you are reading this magazine, I assume you are), at some point you will most likely figure out how to protect your investment in that software. Two things you will need to do to accomplish this are to add licensing to your software, and to obfuscate your code so others cannot reverse engineer your hard work.... These two tools are absolutely essential in your efforts to protect your software. This article will provide you with an overview on how you can use these tools to protect yourself from piracy.See More

Users already have many usernames and passwords for different popular online services, and with OpenID and OAuth, you can leverage those. Why burden users with yet another set of credentials for your site if they can use their Google or Facebook account, or any other OpenID or OAuth account? In this article, I will show you how to do this with ASP.NET 4.5, but more importantly help you understand what’s going on behind the scenes.

Both Internet and intranet applications often require a custom store for user accounts and roles. ASP.NET 2.0 provides an out-of-the-box provider model as well as a SQL Sever database just for that propose. Unfortunately, the only way to administer the credentials databases is via Visual Studio 2005, and only for local Web applications. This article presents a full-blown custom security management application that administrators can use. The application wraps the ASP.NET... 2.0 providers with a Web service and even adds missing features. This article presents the design approaches, challenges, and techniques involved in developing such an application. The article also walks you through some powerful yet useful techniques such as interface-based Web services, reflection-based Web service compatibility, advanced C# 2.0, Web services security, and Web services transactions.See More

Sahil uses the cloud to secure source code. You never know when someone downstream might share code with the rest of the world, and Managed Identity helps keep the things private that need to be.

Code Access Security (CAS) is the .NET Common Language Runtime (CLR) mechanism for maintaining security based on the identity of code.Most developers don't have to work with CAS on a daily basis because the .NET Framework libraries take care of much of the work involved in securing code. However, when you do need to work with CAS, having a good understanding of CAS policy management is essential. Waiting until the eleventh hour in the project lifecycle and realizing that... you need to configure security policy is painful. For example, if you have a Smart Client application that runs over Internet Explorer, you will need to consider what permissions your application requires and how you are going to configure policy so that your code will run on a client machine. Or, suppose that your application defined a custom permission for a scenario not already covered by the permissions that ship with .NET. Here again you need to understand CAS policy. This article discusses the essential elements of CAS (evidence, permissions, and policy), shows how .NET CAS policy works, and explains reasons for making various policy decisions.See More

One of the most important security principles for software development is least privilege.Simply put, least privilege means that an application, process, or user should have the least access to resources required to accomplish a task and no more. By following this principle, even if your application is attacked or a user goes on the payroll of your nastiest competitor, you’ll have limited the potential damage. Bottom line: implementing partial trust in ASP.NET is the sin...gle biggest thing you can do to make your applications secure.See More

Great performance is one of many things being delivered in Internet Explorer 8 Beta 2, the latest version of the popular browser. Beyond a much faster JScript engine, Internet Explorer 8 Beta 2 includes profound performance improvements and exciting new developer features that make it one of the most exciting browser releases in years.

So you finally have a product to sell, and a site to sell it on. But wait; how do you prevent unauthorized users from downloading your products? Forms Authentication provides only part of the solution. In this article, I’ll show how to prevent specific users from accessing specific files on your site; even by browsing directly to them.

Reliability and privacy are two must-have features for every Web user. To that end, Internet Explorer 8 Beta 2 introduces powerful and easy-to-use features that improve the dependability of your browsing experience and the security of your personally identifiable information. Read on for all the details.

The Internet Explorer team has made significant investments to ensure that Internet Explorer 8 Beta 2 is the most secure version to date.Many of these improvements (like the SmartScreen anti-phishing/anti-malware filter) operate automatically and require no changes to Web pages or add-ons. However, other security improvements will impact Web applications and browser add-ons. This article describes how to take advantage of these new Internet Explorer security features to ...help protect Web users and applications.See More

If HTTPS or HTTP over TLS and registering certificates has got you down, you’ll want to read Rick’s take on this required technology. He’ll show you how to keep your website safe and introduce you to some useful new technologies.

SQL Server, like most complex databases, has potential security holes. This article discusses these security holes and how to close them.

In this third installment of his Angular security series, Paul addresses the Angular 6 release and shows you how to build an array of claims without single properties for security.

One of the major benefits of writing .NET code to run in the Common Language Runtime (CLR) hosted in any environment is code access security (CAS).CAS provides a code-based-rather than user-based-authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005’s own, newly enhanced security features? By default your .NET code is reasonably secure, but it’s all too easy for the two security sche...mes to butt heads and cause you grief. In this article I’ll look briefly at the concept behind CAS and a few new security features in SQL Server 2005, then explore how to make the two systems work for you instead of against you as you take advantage of these advanced programming features in SQL Server.See More

Rod Paddock Editorial Article - September/October 2005 Issue

Managing security is very important, and SharePoint provides several ways to manage password accounts. Sahil gives us the story.

Whenever you create a new SharePoint website, one of the questions SharePoint asks you is to select an authentication mechanism. Should it be NTLM or should it be Kerberos?The first time I installed SharePoint, I picked Kerberos, because it sounded like a tropical fruit, only to be prompted that this will need more work! Given that I’m the laziest person you know, I changed my selection to NTLM, and went with the less naggy version instead!

If you care about your data, you must upgrade to SQL Server 2005 the day it is released. There simply is no other option.An outrageous assertion? Perhaps. I tend to split my time equally between praising and bashing Microsoft, but the new security features and tools in SQL Server 2005 will be mandatory for protecting your data from today's increasingly sophisticated attacks. Most importantly, SQL Server 2005's many layers of security provide for defense in depth in which... layer after layer of protection helps keep data safe.See More

An important principal of software design is that of “least privilege.”Basically, in any given layer of a program, you should only grant minimal access such that the code has rights to only exactly the resources it needs to get its job done-and nothing more. Most SQL Server developers understand this concept: one of the main reasons to use stored procedures is to encapsulate permission to data behind controlled and auditable interfaces, thereby not giving the caller direct access.

Sometimes an application needs to keep its data in its own secure "sandbox". This article demonstrates creating these isolated applications in .NET.

Active Directory Service Interfaces (ADSI) is a COM-based set of interfaces that allow you to interact with and manipulate directory service interfaces.That means it's a cool way for scripts and code to add users, change passwords, create network groups, control IIS programmatically, and start and stop services. In this article, I'll cover the basic ADSI syntax and give you some example code to use in your own applications.

Bitcoin has been in the news a lot lately. If you ever wondered how it worked, you’ll want to read what Chris has to say.

The first step in securing your application is to understand threats. This article discusses how to understand where your application may be threatened.

If you need your data secure, there’s probably no better way to ensure it than a Blockchain. Wei-Meng explains how it all works and then helps you build your own.

You know about the importance of securing your data.But, how do you add industrial strength security to your program? The answer is simple: use the Windows Crypto API.

Building an audit trail into your application provides a mechanism for tracking who updated what when, and the new generics feature in Whidbey helps you build that trail.The Whidbey release of .NET will include a new Common Language Runtime (CLR) feature called generics. Generics allow you to use a variable to represent a desired data type, and thereby create very generic code (hence the name) that works with any data type.You define the data type for the generic variabl...e at run time and the CLR substitutes that data type for the variable everywhere in the code that it is used; basically providing you with strongly typed generic code.See More

ASP.NET 2.0 comes with several new security controls (located under the Login tab in the Toolbox; see Figure 1) that greatly simplify the life of a Web developer. Using the new security controls, you can now perform tasks such as user logins, registration, password changes, and more, with no more effort than dragging and dropping controls onto your Web form. In this article, I will show you how you can use these new controls to perform user authentication.

Michiel van Otegem explains Software-as-a-Service by comparing various online products and shows you how to store information about users whether you use Active Directory or Windows Azure Active Directory in the cloud.

The smart way to share data between computers and other people is to place it in an online Internet store, which the other parties can access, but you want to make sure only the right people can access your data. This article will help you understand how the Windows Live delegated authentication system is used to access certain Windows Live data stores and the technologies Microsoft is building to make this work easier for you.