Never trust data, model threats against your code, and other good advice from a security expert.
MSDN Magazine November 2006
View Complete Post
In today's security-conscious environments, a reliable audit trail is a valuable forensic tool The Windows Server 2003 operating system provides features that let you enable a wide range of applications to make use of auditing functionality. This article looks at auditing from the operating system perspective and describes a sample managed code implementation that will allow you to add auditing to your own server applications.
MSDN Magazine October 2005
If I deploy my ASP.NET project to a shared server web hosting, then is there a way to secure my source files so that the provider will not be able to access the source?. For example, the provider of my web hosting may download my files and then he will be able to get access to all my source.
Hi I am making a student project with diverse clients (ASP.NET MVC, WP7, WPF) consuming a default WCF Service Application. I haven't configured the WCF Service in any way, it's right out of the box from VS 2010.
Now I am logging in and out on my clients by calling a method on the WCF service with a username and password.
But then I was thinking that my service is proberly quite insecure, I was thinking, if anybody know the service endpoint, then I guess, as it is now, everybody can call the methods on my service, right?
Now remember that this is just a student project, but I was wondering if there is a really simple and quick way I can somehow authenticate or authorize (don't know which word is the right one) access to the web service, so that not just everybody can use my web service, cause I think thats the scenario right now.
I can also say that I am using forms authentication in the ASP.NET MVC client, I am not using the ASP.NET Membership and Role Provider.
So is there a really simple and quick way to make the web service not just open to everybody who knows the endpoint? Remember it has to be really simple, so I can do it quick, otherwise I drop it, if it's too complicated.
I've consoldated Levi's post on my blog entry Secure or a Security Hole, hardening your Area
This month Dino builds a service layer that authenticates users of Silverlight 2 and ASP.NET AJAX services to prevent illegal access to sensitive back-end services.
MSDN Magazine September 2008
MSDN Magazine May 2008
Five years ago, Bill Gates issued a directive to enhance security across the board. Since then, many valuable lessons have been learned about building more secure software.
MSDN Magazine November 2007
Windows CardSpace replaces traditional authentication with a more consistent and streamlined login process and improves trust between end-users, applications and services. MichÃÂ¨le Leroux Bustamante explains.
Michele Leroux Bustamante
MSDN Magazine April 2007
If you were to build a new communications protocol from scratch, how would you address security? Here the authors take a look at that question and generate some valuable insights into secure protocols.
Mark Novak and Andrew Roths
MSDN Magazine September 2006
Ensuring the security of a Web application is critical and requires careful planning throughout the design, development, deployment, and operation phases. It is not something that can be slapped onto an existing application. In this article, Mike Volodarsky outlines best practices that allow you to take advantage of the security features of ASP.NET 2.0 and IIS 6.0 to build and deploy more secure Web applications.
MSDN Magazine November 2005
ASP.NET provides a number of ways to maintain user state, the most powerful of which is session state. This article takes an in-depth look at designing and deploying high-performance, scalable, secure session solutions, and presents best practices for both existing and new ASP.NET session state features straight from the ASP.NET feature team.
MSDN Magazine September 2005
Microsoft Visual Studio Tools for the Microsoft Office System is a new technology that brings the advanced features of Visual Studio .NET and the .NET Framework to applications built for Microsoft Office Word 2003 and Microsoft Office Excel 2003. Deploying solutions built with this technology requires that you understand how runtime security is enforced in managed applications and how to configure users' systems to run your solutions without introducing security holes.To promote that understanding, this article will demonstrate how to establish trust, explain policy considerations and permissions, and explain what trusted code is all about. Secure assembly deployment is also covered in detail.
Brian A. Randell and Ken Getz
MSDN Magazine March 2004
This article describes a collection of new programming frameworks that are part of "Longhorn," the upcoming version of Windows. "Indigo," the code name for this framework, provides rich support for service-oriented design that is complementary to traditional object-oriented approaches. Indigo marries the best features of .NET Remoting, ASMX, and .NET Enterprise Services into a unified programming and administration model. Indigo's deep support for standard protocols, including HTTP, XML, and SOAP, makes it easier to integrate applications and services without sacrificing security or reliability.
MSDN Magazine January 2004
The Advanced Encryption Standard (AES) is a National Institute of Standards and Technology specification for the encryption of electronic data. It is expected to become the accepted means of encrypting digital information, including financial, telecommunications, and government data. This article presents an overview of AES and explains the algorithms it uses. Included is a complete C# implementation and examples of encrypting .NET data. After reading this article you will be able to encrypt data using AES, test AES-based software, and use AES encryption in your systems.
MSDN Magazine November 2003
As more organizations adopt XML-based Web Services, the need for message-level security has become evident. WS-Security, now supported in the Microsoft .NET Framework, addresses this need. Using the WS-Security framework, developers can implement channel sinks to intercept Remoting messages as they pass through the .NET Remoting infrastructure. The sink can read the message, change it, and pass it along. During this process, the message can be signed for added security. This article explains how to implement a Remoting channel sink that will modify the Remoting message by including a UserName token in the header, then sign the body using the token.
Edited by Nancy Michell
As .NET Remoting gains popularity in the enterprise space, it must meet business demands for trustworthy computing. Remoting traffic can be secured when objects are hosted in IIS, but when they aren't hosted in IIS, custom security solutions can be developed to secure them. This article provides an in-depth look at writing channel sinks for .NET. It also details the flow of data through custom channel sinks and explains the kinds of manipulations that can be performed on that data.
MSDN Magazine June 2003