Solutions at a Glance... great for all .NET developers interested in security...
I was just talking with J.D. Meier (from PAG) about the Improving Application Security book and he pointed out a great page to me... the "Solutions At A Glance" list... this page lists a ton of very frequently asked questions around .NET security and provides links deep into all that great PAG security info.
Some examples;
How to write secure managed code
Use strong names to digitally sign your assemblies and to make them tamperproof. At the same time you need to be aware of strong name issues when you use strong name assemblies with ASP.NET. Reduce your assembly attack profile by adhering to solid object oriented design principles, and then use code access security to further restrict which code can call your code. Use structured exception handling to prevent sensitive information from propagating beyond your current trust boundary and to develop more robust code. Avoid canonicalization issues, particularly with input file names and URLs.
For information about how to improve the security of your managed code, see Chapter 7, "Building Secure Assemblies." For more information about how to use code access security effectively to further improve security, see Chapter 8, "Code Access Security in Practice." For information about performing managed code reviews, see Chapter 21, "Code Review."
and
How to prevent SQL injection
Use parameterized stored procedures for data access. The use of parameters ensures that input values are checked for type and length. Parameters are also treated as safe literal values and not executable code within the database. If you cannot use stored procedures, use SQL statements with parameters. Do not build SQL statements by concatenating input values with SQL commands. Also, ensure that your application uses a least privileged database login to constrain its capabilities in the database.
For more information about SQL injection and for further countermeasures, see "SQL Injection" in Chapter 14, "Building Secure Data Access."
For a ton more questions and answers, you can check out the entire page here
Comments
- Anonymous
July 27, 2004
We wanted to provide the same benefit of SOLUTIONS AT A GLANCE (in Improving .net app security: Threats & Countermeasures) for our Performance & scalability guide, in this guide we call it BEST PRACTICES AT A GLANCE (instead of SOLUTIONS AT A GLANCE)
LINK to GUIDE - http://msdn.microsoft.com/perf
LINK to BEST PRACTICES AT A GLANCE - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/ScaleNet-AtGlance.asp?frame=true - Anonymous
July 27, 2004
Since about this time last year, I have been inspired by many of you at Microsoft to become an advocate for developing secure software both as a professional and as a hobbiest. One question that, even after attending a Security Summit in May, has not been answered for me is whether or not a Strongly-named assembly MUST be installed into the GAC. My company has numerous applications that are hosted by a third-party in a shared environment and, obviously, we do not have control over what gets installed in the GAC and what doesn't. My dream, be-it a lofty one, is to offer all of my customers the highest level of secure software as possible. But, if sandboxed wrappers, etc. need to be installed into the GAC on a machine I do not manage, my web apps cannot run at least privilage - as far as my understanding.
It would be awesome and a huge help if there could be some clariication made regarding this issue. I also would welcome any comments or questions, should they arise.
Thanks
Harris Boyce
IntelliMark
hboyce@intellimark-it.com - Anonymous
August 04, 2004
You may be able to give me assistance or point me to where I may be able to find a solution to my problem. I'm using VB6 Professional Edition. I'm new to programming. My problem is as follows: I have created two db files using Access, a family file and a student file. One family may have one or more students allocated to it. I have to inform the families of the students allocated to them using from letters created using MS Word and using mail-merge. How do I creare a file that will return each family and the students allocated to it so that I can incorporate into a mail-merge document. I hope that I have explained the problen satisfactorily
Michael Cosgrave