O’Reilly news

Addressing Windows' Vulnerabilities at the Application Level: O'Reilly Releases "Programming .NET Security"

July 22, 2003

Sebastopol, CA--When independent researchers found a flaw in Windows Server 2003 recently, they underscored the central fact in the computer industry today: now that the .NET Framework and other platforms support highly distributed systems and web-based server applications that are inherently more difficult to protect, security is an issue that everyone involved needs to address. Despite the flaw, Microsoft's .NET platform is by far its most secure, and according to Adam Freeman, coauthor of Programming .NET Security (O'Reilly, US $44.95), the majority of security lapses are in fact owing to carelessness or lack of experience on the part of application developers.

"Programmers have traditionally treated security as an afterthought, but there is a growing appreciation that security is a requirement, not an option, that should be integrated into the development process," Freeman explains. "The simple fact is that architects and programmers cannot ignore security when developing a .NET application, because security is at the core of the .NET Framework. The better informed they are, the more secure their projects will be."

Freeman and coauthor Allen Jones wrote "Programming .NET Security" as both a tutorial and complete reference to security issues for .NET application development, to save developers from having to rely on Microsoft's "unclear and confusing" documentation. The book offers numerous practical examples for writing secure applications in both the C# and VB.NET languages.

Throughout the book, Freeman and Jones rely on their years of experience in applying security policies and developing some of the world's largest and most complex applications for NASDAQ, Sun Microsystems, Netscape, Microsoft, and others. Before detailing .NET's large collection of security tools and recommendations, their book explains key concepts and common design patterns that developers must understand if they are to build applications that can survive in a hostile, networked world. One chapter discusses typical software development phases, and the opportunities each phase provides for uncovering vulnerabilities and defending against them.

"Programming .NET Security" then explores .NET security features systematically, including runtime support, evidence, code identity, permissions, Code Access Security (CAS), and role-based security. An entire section is devoted to .NET support for cryptography, and other chapters deal with features unique to ASP.NET and COM+ component services. The book also includes an API Quick Reference to all the types of the principal security-related namespaces of the .NET class libraries.

As longtime proponents of "end-to-end" security, Freeman and Jones implore programmers to focus not only on the security of their applications, but also on wider real-world aspects that can affect it. Users who are careless with their passwords, for instance, can compromise any security policies that developers put in place. And, most appropriate given the news on Microsoft, developers must be aware of any vulnerability in third party software they rely on. Explains Freeman, "When thinking about security, you must give consideration to motivation, both of the potential users and the potential attackers."

Additional Resources:

Programming .NET Security
Adam Freeman and Allen Jones
ISBN 0-596-00442-7, 693 pages, $44.95 US, $69.95 CA, 31.95 UK
order@oreilly.com
1-800-998-9938; 1-707-827-7000

About O’Reilly

O’Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O’Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying “faint signals” from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.

Email a link to this press release