Joined: 04 Mar 2003
|Posted: Thu Dec 25, 2003 7:08 pm Post subject: Book Review - Programming .NET Security
Programming .NET Security
Author(s): Adam Free & Allen Jones
Book Specifications: Soft-Cover, 693 pages
User Level: Advanced Programming
Suggested Publisher Price: $44.95 USA/ $69.95 CAN/ £29.92 Net UK (inc of VAT)
Amazon.co.uk: Programming .NET Security
Amazon.com: Programming .NET Security
Info from Back: "The .NET Framework, Microsoft’s latest development platform, is rich in features for the design and development of secure applications, for clients as well as web applications and services. But for .NET developers unaccustomed to the security requirements that are now a regular part of application RFPs, the question is not so much a matter of locating appropriate namespaces and types, but choosing the right security architecture for a given solution and knowing which .NET features to use in implementing it.”
Times have changed and with it so have programming requirements. Or to be more precise coding practices have had to change to accommodate the increasing threats that talented hackers pose to many of today’s applications. Developing secure code never used to be a consideration, but the dangers now faced by these applications today have forced a review of this practice. With these thoughts in mind the .NET framework has incorporated several key new features. Useful features native to .NET are assemblies and application domains among others. Though the .NET language is still a niche one it was designed with security in mind, and as such this book would be of interest to all those who develop programs using C# and Visual Basic .NET.
Content & Overview
As advertised in the books title is the fact that this book deals with the security aspects of the .NET framework, and how to leverage it to produce code that is optimized for security. One of the key concepts explained in this book is the use of “assemblies”. The assembly itself is the basic building block upon which your code is stored in before it is compiled into MSIL (Microsoft Intermediate Language). An important distinction is shown here as well in the two separate types of assemblies; single file and multiple file assemblies. The great advantage that multiple file assembly has is that it can have various .NET languages contained within in it, such as C# and Visual Basic .NET. Shown as well is how to protect against disassembly, and the side-effects of employing such techniques. It becomes far more difficult to troubleshoot various coding problems, and may even introduce some.
Another core concept of the .NET framework is cryptography. This is covered in an excellent level of detail as befits the highly complex subject. Covered first is an introduction to cryptography itself, which is then followed by specific topics like hashing algorithms, symmetric and asymmetric encryption, as well as digital signatures. To make the most of the framework one must understand the theory behind the above noted topics.
Covered as well are ASP.NET application security considerations, COM+ security factors and the Event Log service. These topics are crucial in light of their being used to create web content, and the well known habit of hackers targeting COM+ as an exploit vector. An introduction to Runtime security, permissions, role-based security, and isolated storage are also covered amongst other topics. A structured approach is taken with the subject matter as seen by the five various parts of the book noted below;
Part I. Fundamentals
Part II. .NET Security
Part III. .NET Cryptography
Part IV. .NET Applications Framework
Part V. API Quick Reference
All of the above noted subjects are key to understanding how to build secure code, which will be far more resistant to disassembly efforts and the resulting exploit code. With the increasing amount of commerce and money that the web is generating it is no longer an
option to have poorly coded applications.
Style and Detail
Due to this book being about programming there is not a plethora of screen shots showing various graphical user interfaces. Shown however to make certain points clearer are a large sampling of code, and some clearly drawn diagrams. The information is presented clearly, and succinctly. Mentioned above is that the book uses a great deal of code snippets to clarify the concepts being explained. This is the only way to explain such a dense topic matter as there is no way to simply explain it without showing an example of it. Explained very well, and of note in this book are the cryptographic concepts. Of note are the already mentioned symmetric and asymmetric encryption methods. This is an area becoming increasingly important as more applications bundle some type of encryption or security into themselves.
Being a budding programmer myself I read this book with interest to see what changes have been made to make .NET programming more secure. Through the use of code access, permissions, and reverse engineering protection this .NET framework allows developers using C#, and Visual Basic .NET among others to design secure applications from the ground up. This in turn will hopefully start to stem the tide of unending vulnerabilities which affect both users, and providers using the web today. It should be noted once again though that this book is not for programming beginners, and is aimed at those who already program in some .NET language. This book makes no attempt to show you how to program in this language, but rather how to program securely with it.
This book gets an SFDC 7/10 from me
Keywords for this post: Programming .NET Security
This review is copyright 2003 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.