Programming .NET Security

Description

With the spread of web-enabled desktop clients and web-server based applications, developers can no longer afford to treat security as an afterthought. It's one topic, in fact, that .NET forces you to address, since Microsoft has placed security-related features at the core of the .NET Framework. Yet, because a developer's carelessness or lack of experience can still allow a program to be used in an unintended way, Programming .NET Security shows you how the various tools will help you write secure applications.

Full Description

With the spread of web-enabled desktop clients and web-server based applications, developers can no longer afford to treat security as an afterthought. It's one topic, in fact, that .NET forces you to address, since Microsoft has placed security-related features at the core of the .NET Framework. Yet, because a developer's carelessness or lack of experience can still allow a program to be used in an unintended way, Programming .NET Security shows you how the various tools will help you write secure applications. The book works as both a comprehensive tutorial and reference to security issues for .NET application development, and contains numerous practical examples in both the C# and VB.NET languages. With Programming .NET Security, you will learn to apply sound security principles to your application designs, and to understand the concepts of identity, authentication and authorization and how they apply to .NET security. This guide also teaches you to:

use the .NET run-time security features and .NET security namespaces and types to implement best-practices in your applications, including evidence, permissions, code identity and security policy, and role based and Code Access Security (CAS) use the .NET cryptographic APIs , from hashing and common encryption algorithms to digital signatures and cryptographic keys, to protect your data.
use COM+ component services in a secure manner

If you program with ASP.NET will also learn how to apply security to your applications. And the book also shows you how to use the Windows Event Log Service to audit Windows security violations that may be a threat to your solution. Authors Adam Freeman and Allen Jones, early .NET adopters and long-time proponents of an "end-to-end" security model, based this book on their years of experience in applying security policies and developing products for NASDAQ, Sun Microsystems, Netscape, Microsoft, and others. With the .NET platform placing security at center stage, the better informed you are, the more secure your project will be.

Table of Contents

Fundamentals
1. Chapter 1 Security Fundamentals
  1. The Need for Security
  2. Roles in Security
  3. Understanding Software Security
  4. End-to-End Security
2. Chapter 2 Assemblies
  1. Assemblies Explained
  2. Creating Assemblies
  3. Shared Assemblies
  4. Strong Names
  5. Publisher Certificates
  6. Decompiling Explained
3. Chapter 3 Application Domains
  1. Application Domains Explained
4. Chapter 4 The Lifetime of a Secure Application
  1. Designing a Secure .NET Application
  2. Developing a Secure .NET Application
  3. Security Testing a .NET Application
  4. Deploying a .NET Application
  5. Executing a .NET Application
  6. Monitoring a .NET Application
.NET Security
1. Chapter 5 Introduction to Runtime Security
  1. Runtime Security Explained
  2. Introducing Role-Based Security
  3. Introducing Code-Access Security
  4. Introducing Isolated Storage
2. Chapter 6 Evidence and Code Identity
  1. Evidence Explained
  2. Programming Evidence
  3. Extending the .NET Framework
3. Chapter 7 Permissions
  1. Permissions Explained
  2. Programming Code-Access Security
  3. Extending the .NET Framework
4. Chapter 8 Security Policy
  1. Security Policy Explained
  2. Programming Security Policy
  3. Extending the .NET Framework
5. Chapter 9 Administering Code-Access Security
  1. Default Security Policy
  2. Inspecting Declarative Security Statements
  3. Using the .NET Framework Configuration Tool
  4. Using the Code-Access Security Policy Tool
6. Chapter 10 Role-Based Security
  1. Role-Based Security Explained
  2. Programming Role-Based Security
7. Chapter 11 Isolated Storage
  1. Isolated Storage Explained
  2. Programming Isolated Storage
  3. Administering Isolated Storage
.NET Cryptography
1. Chapter 12 Introduction to Cryptography
  1. Cryptography Explained
  2. Cryptography Is Key Management
  3. Cryptographic Attacks
2. Chapter 13 Hashing Algorithms
  1. Hashing Algorithms Explained
  2. Programming Hashing Algorithms
  3. Keyed Hashing Algorithms Explained
  4. Programming Keyed Hashing Algorithms
  5. Extending the .NET Framework
3. Chapter 14 Symmetric Encryption
  1. Encryption Revisited
  2. Symmetric Encryption Explained
  3. Programming Symmetrical Encryption
  4. Extending the .NET Framework
4. Chapter 15 Asymmetric Encryption
  1. Asymmetric Encryption Explained
  2. Programming Asymmetrical Encryption
  3. Extending the .NET Framework
5. Chapter 16 Digital Signatures
  1. Digital Signatures Explained
  2. Programming Digital Signatures
  3. Programming XML Signatures
  4. Extending the .NET Framework
6. Chapter 17 Cryptographic Keys
  1. Cryptographic Keys Explained
  2. Programming Cryptographic Keys
  3. Extending the .NET Framework
.NET Application Frameworks
1. Chapter 18 ASP.NET Application Security
  1. ASP.NET Security Explained
  2. Configuring the ASP.NET Worker Process Identity
  3. Authentication
  4. Authorization
  5. Impersonation
  6. ASP.NET and Code-Access Security
2. Chapter 19 COM+ Security
  1. COM+ Security Explained
  2. Programming COM+ Security
  3. Administering COM+ Security
3. Chapter 20 The Event Log Service
  1. The Event Log Service Explained
  2. Programming the Event Log Service
API Quick Reference
1. Chapter 21 How to Use This Quick Reference
  1. Finding a Quick-Reference Entry
  2. Reading a Quick-Reference Entry
2. Chapter 22 Converting from C# to VB Syntax
  1. General Considerations
  2. Classes
  3. Structures
  4. Interfaces
  5. Class, Structure, and Interface Members
  6. Delegates
  7. Enumerations
3. Chapter 23 The System.Security Namespace
4. Chapter 24 The System.Security.Cryptography Namespace
5. Chapter 25 The System.Security.Cryptography.X509Certificates Namespace
6. Chapter 26 The System.Security.Cryptography.Xml Namespace
7. Chapter 27 The System.Security.Permissions Namespace
8. Chapter 28 The System.Security.Policy Namespace
9. Chapter 29 The System.Security.Principal Namespace

Colophon

Product Details

Title:

Programming .NET Security

By:

Adam Freeman, Allen Jones

Publisher:

O'Reilly Media

Formats:

Print
Ebook
Safari Books Online

Print Release:

June 2003

Ebook Release:

February 2009

Pages:

720

Print ISBN:

978-0-596-00442-2

| ISBN 10:

0-596-00442-7

Ebook ISBN:

978-0-596-10405-4

| ISBN 10:

0-596-10405-7

Customer Reviews

About the Authors

Adam Freeman

Adam Freeman is a professional programmer and the author of two early Java books, Programming the Internet with Java and Active Java, both published by Addison Wesley, as well as Java course materials. His recent experience architecting a green-field e-commerce platform has given him an in-depth understanding of the current security challenges facing those developing large scale distributed systems. Adam has previously worked for Netscape, Sun Microsystems and the NASDAQ stock exchange.

View Adam Freeman's full profile page.
Allen Jones

Allen Jones has been developing Windows solutions since 1990 and working with Windows NT and Win32 since 1993. He was one of the first MCSEs to qualify anywhere in the world. For the last 3 years, Allen has been developing e-commerce and security systems for large corporations and financial institutions. He is a former employee of Microsoft in both Australia and the UK and co-author, with Adam Freeman, of C# for Java Developers and .NET XML Web Services Step by Step , both from Microsoft Press.

View Allen Jones's full profile page.

Colophon

Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects. The animal on the cover of Programming .NET Security is a Smoothhound shark. The Smoothhound shark is a harmless bottom-dwelling reef shark, which is also known as a mud shark or dogfish. It is a moderately sized shark with two high dorsal fins and short blunt teeth. It also has small grinding plates, which are used to crush shellfish. Besides shellfish, the Smoothhound shark forages reefs for worms, octopuses, and small fish.

The Smoothhound shark can be found in both inshore and offshore habitats, often over tidal flats and in shallow bays. Also, the Smoothhound shark is viviporous, which means it gives birth to live young; inside the female body, pups hatch from eggs and remain there until they are fully developed. Sarah Sherman was the production editor and copyeditor, and Matt Hutchinson was the proofreader for Programming .NET Security. Claire Cloutier provided quality control. Johnna VanHoose Dinse and Tom Dinse wrote the index.

Ellie Volckhausen designed the cover of this book, based on a series design by Edie Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Emma Colby produced the cover layout with QuarkXPress 4.1 using Adobe's ITC Garamond font.

David Futato designed the interior layout. This book was converted by Andrew Savikas to FrameMaker 5.5.6 with a format conversion tool created by Erik Ray, Jason McIntosh, Neil Walls, and Mike Sierra that uses Perl and XML technologies. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were produced by Robert Romano and Jessamyn Read using Macromedia FreeHand 9 and Adobe Photoshop 6. The tip and warning icons were drawn by Christopher Bing. This colophon was written by Sarah Sherman.

O'Reilly Books & Videos

Fundamentals

Chapter 1 Security Fundamentals

Chapter 2 Assemblies

Chapter 3 Application Domains

Chapter 4 The Lifetime of a Secure Application

.NET Security

Chapter 5 Introduction to Runtime Security

Chapter 6 Evidence and Code Identity

Chapter 7 Permissions

Chapter 8 Security Policy

Chapter 9 Administering Code-Access Security

Chapter 10 Role-Based Security

Chapter 11 Isolated Storage

.NET Cryptography

Chapter 12 Introduction to Cryptography

Chapter 13 Hashing Algorithms

Chapter 14 Symmetric Encryption

Chapter 15 Asymmetric Encryption

Chapter 16 Digital Signatures

Chapter 17 Cryptographic Keys

.NET Application Frameworks

Chapter 18 ASP.NET Application Security

Chapter 19 COM+ Security

Chapter 20 The Event Log Service

API Quick Reference

Chapter 21 How to Use This Quick Reference

Chapter 22 Converting from C# to VB Syntax

Chapter 23 The System.Security Namespace

Chapter 24 The System.Security.Cryptography Namespace

Chapter 25 The System.Security.Cryptography.X509Certificates Namespace

Chapter 26 The System.Security.Cryptography.Xml Namespace

Chapter 27 The System.Security.Permissions Namespace

Chapter 28 The System.Security.Policy Namespace

Chapter 29 The System.Security.Principal Namespace

Colophon

Adam Freeman

Allen Jones