You are previewing Security for Microsoft® Visual Basic® .NET.
O'Reilly logo
Security for Microsoft® Visual Basic® .NET

Book Description

This resource provides best practices, step-by-step code walk-throughs, and concise explanations of key security terms, issues, and jargon to help developers create and run secure code with Visual Basic.

Table of Contents

  1. Security for Microsoft® Visual Basic® .NET
    1. Introduction
      1. How to Use This Book
      2. How to Use the Code Samples
        1. Create a Desktop Shortcut for Running Tools
      3. A Final Word
      4. Corrections, Comments, and Help
      5. Acknowledgments
    2. I. Development Techniques
      1. 1. Encryption
        1. Practice Files
        2. Hash Digests
        3. Private Key Encryption
          1. Keeping Private Keys Safe
        4. Public Key Encryption
        5. Hiding Unnecessary Information
        6. Encryption in the Real World
        7. Summary
      2. 2. Role-Based Authorization
        1. Role-Based Authorization Exercise
        2. Windows Integrated Security
        3. ASP.NET Authentication and Authorization
        4. Role-Based Authorization in the Real World
        5. Summary
      3. 3. Code-Access Security
        1. How Actions Are Considered Safe or Unsafe
        2. What Prevents Harmful Code from Executing?
        3. It’s On By Default
        4. Security Features and the Visual Basic .NET Developer
        5. Code-Access Security vs. Application Role-Based Security
          1. Code-Access Security Preempts Application Role-Based Security
        6. Run Your Code in Different Security Zones
          1. What Code-Access Security Is Meant To Protect
          2. Permissions—The Basis of What Your Code Can Do
            1. Security Zones and Trust Levels
            2. Security Zones and Permissions
            3. Local Intranet, Internet, and Trusted Sites Zones
            4. How Visual Basic .NET Determines Zone
          3. Ensuring That Your Code Will Run Safely
          4. Cooperating with the Security System
        7. Code-Access Security in the Real World
        8. Summary
      4. 4. ASP.NET Authentication
        1. EmployeeManagementWeb Practice Files
        2. Forms Authentication
        3. Windows Integrated Security Authentication
        4. Passport Authentication
          1. Install the Passport SDK
        5. ASP.NET Authentication in the Real World
        6. Summary
      5. 5. Securing Web Applications
        1. Secure Sockets Layer
          1. How SSL Works
        2. Securing Web Services
        3. Implementing an Audit Trail
        4. Securing Web Applications in the Real World
        5. Summary
    3. II. Ensuring Hack-Resistant Code
      1. 6. Application Attacks and How to Avoid Them
        1. Denial of Service Attacks
          1. Defensive Techniques for DoS Attacks
            1. Defending Against Memory and Resource DoS Attacks
        2. File-Based or Directory-Based Attacks
          1. Defensive Technique for File-Based or Directory-Based Attacks
            1. Enforce Canonical Filenames
        3. SQL-Injection Attacks
          1. Defensive Techniques for SQL-Injection Attacks
            1. Validate Input Parameters
            2. Use Parameterized Queries
            3. Add a Stored Procedure to Validate the User
        4. Cross-Site Scripting Attacks
          1. When HTML Script Injection Becomes a Problem
          2. Defensive Techniques for Cross-Site Scripting Attacks
            1. Use Server.HtmlEncode and Server.UrlEncode
            2. Check All Input for Content and Length
        5. Child-Application Attacks
          1. Defensive Technique for Child-Application Attacks
            1. Use Quotes Around All Path Names
        6. Guarding Against Attacks in the Real World
        7. Summary
      2. 7. Validating Input
        1. Working with Input Types and Validation Tools
          1. Direct User Input
            1. Validation Tools Available to Windows Forms Applications
            2. Validation Tools Available to ASP.NET Web Applications
          2. General Language Validation Tools
            1. Regular Expressions
            2. Parse Method
          3. Web Application Input
            1. Don’t Rely on Data Sent to the Client
          4. Nonuser Input
          5. Input to Subroutines
        2. Summary
      3. 8. Handling Exceptions
        1. Where Exceptions Occur
        2. Exception Handling
        3. Global Exception Handlers
        4. Exception Handling in the Real World
        5. Summary
      4. 9. Testing for Attack-Resistant Code
        1. Plan of Attack—The Test Plan
          1. Brainstorm—Generate Security-Related Scenarios
            1. Take the Attacker’s View
            2. Create a Blueprint of Your Application
            3. Create Scenarios Based on Inroads for Attack
          2. Get Focused—Prioritize Scenarios
            1. Prioritize Security-Related Scenarios Based on Threats
          3. Generate Tests
            1. Filter and Prioritize Tests for Each Scenario
        2. Attack—Execute the Plan
          1. Testing Approaches
            1. Writing Self-Testing Code
            2. Ad Hoc, or Manual, Testing
            3. Automated Unit Testing
            4. Stress Testing
          2. Testing Tools
            1. Create Your Own Test Tools
            2. Example: Create a Test Tool for Testing Web Applications
          3. Test in the Target Environment
          4. Make Testing for Security a Priority
        3. Common Testing Mistakes
          1. Testing Too Little, Too Late
          2. Failing to Test and Retest for Security
          3. Failing to Factor In the Cost of Testing
          4. Relying Too Much on Beta Feedback
          5. Assuming Third-Party Components Are Safe
        4. Testing in the Real World
        5. Summary
    4. III. Deployment and Configuration
      1. 10. Securing Your Application for Deployment
        1. Deployment Techniques
          1. XCopy Deployment
          2. No-Touch Deployment
          3. Windows Installer Deployment
          4. Cabinet-File Deployment
        2. Code-Access Security and Deployment
          1. Deploy and Run Your Application in the .NET Security Sandbox
        3. Certificates and Signing
          1. Digital Certificates
            1. X.509 Certificate
            2. Obtain an X.509 Certificate from a Certificate Authority
            3. Keep Your Private Keys Safe
          2. Authenticode Signing
            1. When to Use Authenticode Signing
            2. When the Authenticode Signature Is Checked
            3. Incorporate Authenticode Signing in Your Build Process
          3. Strong-Name Signing
            1. Strong Names vs. Weak Names
            2. Strong-Named Visual Basic .NET .DLLs and Partial Trust
          4. Authenticode Signing vs. Strong Naming
            1. Should You Authenticode-Sign and Strong-Name Your Application?
          5. Strong Naming, Certificates, and Signing Exercise
        4. Deploying .NET Security Policy Updates
          1. Update .NET Enterprise Security Policy
          2. Deploy .NET Enterprise Security Policy Updates
        5. Protecting Your Code—Obfuscation
          1. Obscurity <> Security
        6. Deployment Checklist
        7. Deployment in the Real World
        8. Summary
      2. 11. Locking Down Windows, Internet Information Services, and .NET
        1. "I’m Already Protected. I’m Using a Firewall."
        2. Fundamental Lockdown Principles
        3. Automated Tools
        4. Locking Down Windows Clients
          1. Format Disk Drives Using NTFS
          2. Disable Auto Logon
          3. Enable Auditing
          4. Turn Off Unnecessary Services
          5. Turn Off Unnecessary Sharing
          6. Use Screen-Saver Passwords
          7. Remove File-Sharing Software
          8. Implement BIOS Password Protection
          9. Disable Boot from Floppy Drive
        5. Locking Down Windows Servers
          1. Isolate Domain Controller
          2. Disable and Delete Unnecessary Accounts
          3. Install a Firewall
        6. Locking Down IIS
          1. Disable Unnecessary Internet Services
          2. Disable Unnecessary Script Maps
          3. Remove Samples
          4. Enable IIS Logging
          5. Restrict IUSR_<computername>
          6. Install URLScan
        7. Locking Down .NET
        8. Summary
      3. 12. Securing Databases
        1. Core Database Security Concepts
        2. SQL Server Authentication
          1. Determining Who Is Logged On
          2. How SQL Server Assigns Privileges
        3. SQL Server Authorization
        4. Microsoft Access Authentication and Authorization
          1. Microsoft Access User-Level Security Models
        5. Locking Down Microsoft Access
        6. Locking Down SQL Server
        7. Summary
    5. IV. Enterprise-Level Security
      1. 13. Ten Steps to Designing a Secure Enterprise System
        1. Design Challenges
        2. Step 1: Believe You Will Be Attacked
        3. Step 2: Design and Implement Security at the Beginning
        4. Step 3: Educate the Team
        5. Step 4: Design a Secure Architecture
          1. Named-Pipes vs. TCP-IP
          2. If You Do Nothing Else...
        6. Step 5: Threat-Model the Vulnerabilities
        7. Step 6: Use Windows Security Features
        8. Step 7: Design for Simplicity and Usability
        9. Step 8: No Back Doors
        10. Step 9: Secure the Network with a Firewall
        11. Step 10: Design for Maintenance
        12. Summary
      2. 14. Threats—Analyze, Prevent, Detect, and Respond
        1. Analyze for Threats and Vulnerabilities
          1. Identify and Prioritize
            1. Identify Threats
            2. Prioritize Threats
        2. Prevent Attacks by Mitigating Threats
          1. Mitigating Threats
        3. Detection
          1. Early Detection
          2. Detecting That an Attack Has Taken Place or Is in Progress
            1. Determining Whether to Trust Your Detection Mechanisms
            2. Humans: The Key to Success
        4. Respond to an Attack
          1. Prepare for a Response
        5. Security Threats in the Real World
        6. Summary
      3. 15. Threat Analysis Exercise
        1. Analyze for Threats
          1. Allocate Time
            1. Prioritize Analysis Based on the Function of Each Component
          2. Plan and Document Your Threat Analysis
          3. Create a Laundry List of Threats
            1. Draw Architectural Sketch and Review for Threats
            2. Review Code for Threats
          4. Prioritize Threats
        2. Respond to Threats
        3. Summary
      4. 16. Future Trends
        1. The Arms Race of Hacking
          1. No Operating System Is Safe
          2. Cyber-Terrorism
        2. What Happens Next?
        3. Responding to Security Threats
          1. Privacy vs. Security
          2. The IPv6 Internet Protocol
          3. Government Initiatives
          4. Microsoft Initiatives
        4. Summary
    6. A. Guide to the Code Samples
      1. Employee Management System
      2. Employee Management Web
      3. Encryption Demo
      4. TogglePassportEnvironment utility
      5. Employee Database Structure
      6. Migrating the Employee Database to SQL Server 2000
    7. B. Contents of SecurityLibrary.vb
      1. Hash Digests
      2. Private Key Encryption
      3. DPAPI Encryption
      4. Public Key Encryption
      5. Logging Exceptions
      6. Role-Based Security
      7. Validating Input
    8. C. About the Authors
      1. Ed Robinson
      2. Michael Bond
    9. Index
    10. About the Authors