.NET Framework Security [Paperback]

Brian A. LaMacchia (Author), Sebastian Lange (Author), Matthew Lyons (Author), Rudi Martin (Author), Kevin T. Price (Author)

Book Description

Publication Date: April 24, 2002 | ISBN-10: 067232184X | ISBN-13: 978-0672321849 | Edition: 1st

.NET Framework Security contains security features of the .NET Framework and Common Language Runtime. The focus is on the new technologies introduced with .NET, with treatment of existing technologies as leveraged by .NET (but not those existing technologies themselves)

Editorial Reviews

From the Back Cover

In 1997, Microsoft embarked on a "bet the company" strategy that was to reinvent the way the company did business. Even before its release, .NET made major strides in reinventing the way that software developers viewed the software they wrote.

Now that it is released, .NET and the .NET Framework will change the software development process for good.

.NET Framework Security provides the ultimate high-end comprehensive reference to all of the new security features available in .NET. Through extensive code samples and step-by-step walkthroughs of configuration techniques, the reader is taken deep into the world of secure applications. Demonstrations of creating custom procedures and a full explanation of each aspect separate this book from many other "lecture books." Many of the concepts expressed in this book are not only viable in .NET, but on the Internet in general. These factors combined make this the one reference that every developer and system administrator should have.

.NET Framework Security provides

• An extensive introduction to explanation of Code Access Security, the powerful new security system shipping in the .NET Framework
• Information on how to write and test safe applications using the .NET Framework
• Extensive coverage on how to effectively administer .NET Framework security
• In-depth introduction to the cryptography library shipping in the .NET Framework, including an introduction to XML digital signatures
• An overview of all of the new security features available in .NET
• Code samples that can be used to implement security on your own Web site or application
• Step-by-step guidelines for modifying the various configuration files associated with .NET, and an explanation of the elements involved
• Instructions for all of the aspects of security in the CLR and what it means
• How to use ASP.NET to create a secure application
• Explanations for using the CryptoAPI libraries to create your own custom functionality
• Guidelines on how to create secure network applications as well as applications that exist on the Internet
• Detailed examples of how to establish security parameters in IIS that relate to ASP.NET
• Instructions for administering .NET applications hosted in IE

067232184XB04232002

About the Author

Brian A. LaMacchia is the Development Lead for .NET Framework Security at Microsoft Corporation in Redmond, WA, a position he has held since April 1999. Previously, Dr. LaMacchia was the Program Manager for core cryptography in Windows 2000 and, prior to joining Microsoft in 1997, he was a Senior Member of Technical Staff in the Public Policy Research Group at AT&T LabsQResearch in Florham Park, NJ. He received S.B., S.M., and Ph.D. degrees in Electrical Engineering and Computer Science from MIT in 1990, 1991, and 1996, respectively.

Sebastian Lange has been working at Microsoft as Program Manager on the .NET Framework Common Language Runtime security team for over two years. He focuses on security configuration, administration, type safety verification, and secure hosting of the CLR. Prior to his work on security, Sebastian has done research and design in artificial intelligence, both in industry as well as in university. He holds a B.A. in Computer Science and a B.A. in Philosophy from Macalester College. In his spare time, Sebastian practices a variety of musical instruments, and can be seen playing the electric viola for his band Elysian up and down the west coast.

Matthew Lyons is the QA lead for security features of the Common Language Runtime at Microsoft Corporation. He has been testing and developing against the internal workings of .NET Framework security for over two years. Before that, he spent two years testing public key cryptography and the certificate services in Windows 2000. Matt received a B.S. in Applied Physics from Purdue University in 1997 and is currently working on an M.S. in Computer Science at the University of Washington.

Rudi Martin graduated from Glasgow University (Scotland, U.K.) in 1991 with a B.S.C. in Computing Science. He spent seven years working for Digital Equipment Corporation in the operating systems group, covering areas such as file systems, interprocess communications, and transaction processing. Rudi joined the NDP group at Microsoft in 1999, where he worked in the core execution engine and the security subsystem. He worked on the OpenVMS platform, transitioned to Windows NT, and has been very busy with the Common Language Runtime security group.

Kevin T. Price has been a software architect for over seven years specializing in Web-based applications. He is presently a Senior Software Architect for CMS Information Services in Vienna, VA. Kevin has edited books on .NET as well as authored chapters in BizTalk Unleashed. The material and code samples found in his chapters reflect real-world experience. Focusing on the securing of information and platform scalability. Mr. Price has both architecture and hands-on experience using technologies including ASP, Crypto API, JSP, Java, COM/DCOM, VB, C++, .NET, and numerous other technologies related to the Internet and/or the Microsoft-based toolset.

See all Editorial Reviews

Product Details

• Paperback: 816 pages
• Publisher: Pearson Education; 1st edition (April 24, 2002)
• Language: English
• ISBN-10: 067232184X
• ISBN-13: 978-0672321849
• Product Dimensions: 9.1 x 7.3 x 1.8 inches
• Shipping Weight: 2.8 pounds
• Average Customer Review: 3.8 out of 5 stars  See all reviews (13 customer reviews)
• Amazon Best Sellers Rank: #2,173,168 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

15 of 16 people found the following review helpful:

4.0 out of 5 stars Best security infrastructure book I've read, February 7, 2003

By 

Southern California .NET User Group (SoCalNETug.org) - See all my reviews

This review is from: .NET Framework Security (Paperback)

This is the best book about the security infrastructure of Microsoft .NET Framework that I have ever read. This book has brought me the overall picture of the .NET security system: How does the system work and interact with the existing security system on Win NT platform? In addition, the book is clearly written, well- organized, and full of in-depth information.

Overall, I consider this is an excellent book which could satisfy the security needs for all .NET developers and administrators.

This book is divided into five sections:

1. Introduction to the .NET Developer Platform Security:

This section provides an introduction to the .NET Framework platform and all of the new security features available. Although this section describes only brief information, I still recommend that every one should read it first before jumping to the others. The first section "provides common background material for the topic-specific discussions in the remainder of the book."

2. Code Access Security Fundamentals:

This section provides an extensive introduction to Code Access Security, a powerful and surprising code-based security feature shipping in .NET Framework. Many new terminologies are explained: Evidence, Permissions, Stack Walk, Code Groups, Policy Levels, etc.

This section is really difficult. I felt overwhelmed with too many new concepts and skipped it. However, after reading some chapters of the next section, I realized that the code-based security concept is the keystone for the entire security system. I had to come back to section two and read it carefully. Learn from my lesson, you should try to understand it at the first time you read it.

3. ASP.NET and Web Services Security Fundamentals:

This section provides brief information about server-side security features of ASP.NET and Web Services.

4. .NET Framework Security Administration:

This section provides a comprehensive guide to administer .NET Framework security. It shows you when and how to make modifications. Some topics are presented as tutorials. It is very to easy to capture and follow the steps.

5. .NET Framework Security for Developers

The final section is devoted to developers. It provides all needed information to build secure assemblies, web sites, applications, and web services. It also provides an in-depth introduction to the cryptography library shipping in the .NET Framework and to XML digital signatures. For developers who don't have enough time to read the whole book, this is the section that you should spend your time on. -- Review by Trung N.

14 of 15 people found the following review helpful:

2.0 out of 5 stars Good material on CAS, TERRIBLE material on ASP.NET Security, April 29, 2004

By 

C. Jackson (Chicago, IL, United States) - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: .NET Framework Security (Paperback)

Four of the authors do a reasonably good job explaining the whole concept of CAS. At times, they seem to be repeating themselves, but the result is that you cannot walk away without understanding what they wanted you to understand because of this repetition.

The downside of this book is the material by Kevin T. Price. They delegated the ASP.NET/Web security to him. Much of his work is a cut and paste of the SDK docs. For his examples, he uses the grid layout of ASP.NET, which makes the declarative code completely unreadable. He leaves in all of the code generated by Visual Studio.NET, despite its irrelevance. He spends a great deal of time discussing IIS configuration, which you might argue is not relevant to the subject matter at hand (this should be a very specialized book, and it is everywhere else). He refers us to a code download on the Sam's website - unfortunately, Sam's is not the publisher of this book. He puts in some sample JSP code for no apparent reason, apparently to teach us about diversity in the web environment. When you buy a book on .NET Framework Security, it is probably because you are interested in .NET, and not because you are interested in the web development ecosystem. Finally, his grand finale chapter is on writing a secure web application. All he manages to achieve here is to create a forms auth login page. Even more troubling is the fact that this sample - in a book on *security* - has a glaring SQL Injection Vulnerability. The one thing he creates is completely and disturbingly wrong.

Web developers who buy this book to write more secure applications are likely to end up writing even worse applications by implementing his ideas.

Read this book if you want to learn about CAS. Do not stop at this book if you actually need to write secure web applications - in fact, don't even start here. You're better off sticking with the PAG materials.

9 of 9 people found the following review helpful:

5.0 out of 5 stars The definite security reference for .NET applications, May 1, 2002

By A Customer

This review is from: .NET Framework Security (Paperback)

Make no mistake,as you will get your hands wet programming Micrsosoft's "managed code" (C#, VB or ASP.NET apps), you will eventually encounter the all pervasive and extensive security system that is integrated in .Net.
This book is the definite security reference and guide to the new programming platform that Micrsosoft has shipped - and the only book of its kind on the market as far as I can see. It has been written by the people who have designed and implemented the security features and infrastructure in the .NET Framework that ASP.NET, C#, VB or Managed C++ applications run on.
Its stuffed with sample code and hands-on tips, and comes with extensive sections geared specifically towards developers and admins. Chapters are well contained and you get the kind of insider information only the people who have actually build and designed the system would be able to give you.
800 plus pages of security information for the Amazon price is quite a good bang for the buck,so I highly recommend this book as I think it will be a good learning aid in trying to understand .NEt security and remain valuable as a reference work afterwards.