July 22, 2003
Addressing Windows' Vulnerabilities at the Application Level: O'Reilly Releases "Programming .NET Security"
Sebastopol, CA--When independent researchers found a flaw in Windows
Server 2003 recently, they underscored the central fact in the computer
industry today: now that the .NET Framework and other platforms support
highly distributed systems and web-based server applications that are
inherently more difficult to protect, security is an issue that
everyone involved needs to address. Despite the flaw, Microsoft's .NET
platform is by far its most secure, and according to Adam Freeman,
coauthor of Programming .NET Security (O'Reilly, US $44.95), the
majority of security lapses are in fact owing to carelessness or lack
of experience on the part of application developers.
"Programmers have traditionally treated security as an afterthought,
but there is a growing appreciation that security is a requirement, not
an option, that should be integrated into the development process,"
Freeman explains. "The simple fact is that architects and programmers
cannot ignore security when developing a .NET application, because
security is at the core of the .NET Framework. The better informed they
are, the more secure their projects will be."
Freeman and coauthor Allen Jones wrote "Programming .NET Security" as
both a tutorial and complete reference to security issues for .NET
application development, to save developers from having to rely on
Microsoft's "unclear and confusing" documentation. The book offers
numerous practical examples for writing secure applications in both the
C# and VB.NET languages.
Throughout the book, Freeman and Jones rely on their years of
experience in applying security policies and developing some of the
world's largest and most complex applications for NASDAQ, Sun
Microsystems, Netscape, Microsoft, and others. Before detailing .NET's
large collection of security tools and recommendations, their book
explains key concepts and common design patterns that developers must
understand if they are to build applications that can survive in a
hostile, networked world. One chapter discusses typical software
development phases, and the opportunities each phase provides for
uncovering vulnerabilities and defending against them.
"Programming .NET Security" then explores .NET security features
systematically, including runtime support, evidence, code identity,
permissions, Code Access Security (CAS), and role-based security. An
entire section is devoted to .NET support for cryptography, and other
chapters deal with features unique to ASP.NET and COM+ component
services. The book also includes an API Quick Reference to all the
types of the principal security-related namespaces of the .NET class
As longtime proponents of "end-to-end" security, Freeman and Jones
implore programmers to focus not only on the security of their
applications, but also on wider real-world aspects that can affect it.
Users who are careless with their passwords, for instance, can
compromise any security policies that developers put in place. And,
most appropriate given the news on Microsoft, developers must be aware
of any vulnerability in third party software they rely on. Explains
Freeman, "When thinking about security, you must give consideration to
motivation, both of the potential users and the potential attackers."
Programming .NET Security
Adam Freeman and Allen Jones
ISBN 0-596-00442-7, 693 pages, $44.95 US, $69.95 CA, 31.95 UK
O'Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O'Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying "faint signals" from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.
Return to: O'Reilly Press Room
Recent Press Releases
Press Release Archive »
Media Relations - North America & Conferences
Media Relations - Japan
Media Relations - United Kingdom