Visual Basic.Net Code Security Handbook,9781861007476

Visual Basic.Net Code Security Handbook

by
Edition: 1st
ISBN13: 9781861007476
ISBN10: 1861007477
Format: Trade Paper
Pub. Date: 2002-08-01
Publisher(s): Springer-Verlag New York Inc
  • Free Shipping Icon

    Free Shipping On Orders Over $35*

    Your order must be $35 or more to qualify for free economy shipping. Marketplace items, eBooks and apparel do not qualify towards the $35 purchase minimum.
     

List Price: $29.99

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

New Book

We're Sorry
Sold Out

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $36.38

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

Focuses exclusively on code level security considerations and provides a VB.NET perspective. For VB programmers who want language specific information. Softcover.

Table of Contents

Introduction 1(1)
Who is This Book For?
1(1)
What does This Book Cover?
2(1)
What does it Not Cover?
2(3)
Application Security
5(20)
The Security Landscape
5(2)
Why Should I Care about Security?
7(1)
What do we Mean by Security?
8(7)
Hostile Intent
8(1)
Surely They Would Not Attack Me!
9(1)
Time is Not on Your Side
9(1)
Trust, Safety, and Intent
10(1)
Harm
11(1)
Denial of Service
11(1)
Unauthorized Data Access
12(1)
Data Tempering
13(2)
How do Attackers do It?
15(3)
Vulnerabilities and Exploits
15(1)
Combined Attacks: ILOVEYOU Redux
15(2)
It Could be Worse
17(1)
What Can I Do about it?
18(5)
Mission: Moderately Difficult versus Mission: Impossible
19(2)
Raise the Bar
21(1)
You Do Not Have to be a Cryptologist
21(1)
Take the Long View
22(1)
Summary
23(2)
.NET and Security: An Overview
25(58)
Role and Code Security
25(6)
Security in Windows NT
26(2)
Security in Windows 95/98/ME
28(1)
Security in Internet Explorer
29(2)
.NET Security Concepts
31(10)
Managed Code
31(1)
The Managed Intermediate Language
32(1)
Type Safety
32(2)
The Managed Stack
34(3)
Assemblies
37(1)
Application Domains
37(1)
Security Namespaces in the .NET Framework
38(1)
The Security Namespace
38(1)
The Web Security Namespace
39(1)
The Cryptography Namespace
39(1)
The Principal Namespace
40(1)
The Policy and Permissions Namespaces
41(16)
Code Security (From Ten Thousand Feet)
41(1)
The Evidence Collection
41(1)
The Hash
42(1)
The Strong Name
43(1)
The Publisher Signature
44(1)
Host Evidence: The Zone, URL, and Site
44(1)
Summarizing Evidence
45(2)
Policy and Permissions
47(1)
Permission Objects
47(2)
Permission Set Objects
49(1)
Policy Levels
49(1)
Code Groups
50(1)
Viewing Your Policy
51(1)
Out-of-the-Box Permission Sets
52(4)
A Quick Review
56(1)
.NET Code Security in Practice
57(22)
A First Attempt at a Security Violation
57(2)
The Stack Walk
59(1)
The Luring Attack
59(3)
Forcing a Stack Walk with ``Demand''
62(1)
Why Would You Ever Force a Stack Walk?
63(3)
Restricting Permissions with ``Deny'' and ``PermitOnly''
66(1)
Custom Permission Sets
67(1)
Reverting Restrictions
68(1)
An Oddity
68(1)
Overriding Stack Walks with Assert
69(1)
Using Asserts and Demands Together
70(4)
Declarative Security
74(1)
Why Use Declarative Security?
74(2)
Reducing the Grant Set
76(1)
Refusing Specific Permissions
77(1)
Requiring Permissions
77(1)
Requesting Optional Permissions
78(1)
Declarative Security with Permission Sets
79(1)
Assembly Attributes Overview
79(1)
Summary
79(4)
Advanced .NET Security
83(32)
The Link Demand
83(13)
Compiling Just In Time
84(1)
Making Demands at ``Link Time''
85(1)
Creating a Link Demand
85(1)
An Example
86(6)
Responsibilities of the Caller
92(1)
When to Use Link Demands
92(1)
Calling Methods that have Link Demands
93(1)
Discovering Link Demands
94(1)
Link Demands and APTCA
94(1)
Suppressing Unmanaged Code Demands
95(1)
Link Demands Summary
96(1)
The Inheritance Demand
96(1)
Security and Reflection
97(3)
Reflection and Link Demands
97(1)
Reflection and Assert
98(2)
Reflection and Deny/PermitOnly
100(1)
Role-Based Security in .NET
100(12)
Identity Objects
101(1)
Windows Identity Objects
101(1)
Custom Identity Objects
102(1)
Principal Objects
103(1)
Principal Policy
103(1)
Checking Roles
104(5)
Impersonation with WindowsIdentity Objects
109(3)
Summary
112(3)
Security and Customizable Applications
115(16)
What are the Security Challenges?
115(1)
If It's Broke then Fix It
116(13)
Attempt One: Ask the User
116(3)
Attempt Two: Use PermitOnly
119(1)
Attempt Three: Lock down the Directory
120(1)
Attempt Four: Say it is from the Internet
120(2)
Why is Attempt Four a Bad Idea?
122(1)
Attempt Five: Custom Policy
122(1)
Custom Evidence
122(1)
Custom Membership Condition
123(2)
Custom Permission Set
125(1)
Custom Policy
125(4)
Pros and Cons of Custom Policies
129(1)
Summary
129(2)
How to Write Insecure Code
131(74)
How to Write Insecure Object Oriented Code
132(5)
Worst Practice: Fail to Restrict Access
132(1)
A Brief Refresher on Access Modifiers
132(1)
Worst Practice: Make too much Public
133(2)
Worst Practice: Allow Subclassing by Untrusted Assemblies
135(2)
How to Write Bad Link Demands
137(4)
Worst Practice: Inconsistent Link Demands in Class Hierarchies
137(2)
Worst Practice: Inconsistent Class and Method Link Demands
139(1)
Worst Practice: Structure Constructors
140(1)
How to Implement Insecure Exception Handling Code
141(19)
Worst Practice: Leaking Privileged Information
141(3)
Problem 1: Path Discovery
144(1)
Problem 2: Denial of Service
145(1)
Problem 3: The Assert Lives on
146(1)
Problem 4: Unintended Side Effects
146(1)
Problem 5: Fit and Finish
147(1)
Worst Practice: Fail to a Non-Secure Mode
147(1)
Canonicalization Issues
148(4)
Worst Practice: Change State without Handling Exceptions
152(1)
Worst Practice: Make your State Inconsistent
152(1)
Worst Practice: Use Bad Defaults
153(1)
Vulnerabilities Involving Exception Filters
154(6)
Summing up Exception Handling
160(1)
How to Reveal Secrets
160(9)
Worst Practice: Fail to Demand on Cached Data
161(1)
Worst Practice: Write your own Encryption
162(1)
Worst Practice: Use XOR ``Encryption''
163(1)
Worst Practice: Try to Keep Secrets from the User
164(1)
Worst Practice: Embed Secret Strings
165(1)
Worst Practice: Construct or Encrypt Secret Strings
166(2)
Security through Obscurity
168(1)
How to Write Insecure Server-Side Code
169(12)
Denial of Service Attacks
170(1)
Fail Early
170(1)
Consider the Worst Case
170(1)
Worst Practice: Trust the Client
171(1)
The SQL Injection Vulnerability
171(5)
The Cross Site Scripting (CSS) Vulnerability
176(5)
Other Issues
181(21)
Threading Issues
181(1)
A Brief Refresher on Threading
181(2)
So where is the Vulnerability?
183(1)
What is the Risk?
184(1)
What Should I Do?
184(3)
How to Write Bad Serialization Code
187(1)
A Brief Refresher on Serialization
187(2)
Worst Practice: Write to Predictable Locations
189(2)
Worst Practice: Allow Untrusted Code to Serialize Sensitive State
191(1)
Worst Practice: Allow Untrusted Code to Deserialize Sensitive State
192(1)
A Brief Note about the Default Serializer
192(1)
Err On the Side of Caution
193(1)
How to Write Bad Event Handlers and other Delegates
193(1)
A Brief Refresher on Delegates
193(2)
Security Issues with Delegates
195(6)
Using Reflection Safely
201(1)
Do not Proxy Reflection
201(1)
Summary
202(3)
How to Make Code Secure
205(34)
Secure Code is Solid Code
205(8)
Correctness
205(1)
Fixing It
206(1)
Bug Triage
206(2)
Telling Users
208(1)
Manage the Risk by Planning for Mistakes
208(1)
Testability
208(1)
Things to Look for When Testing Security
209(1)
Server Performance
210(1)
Performance and Security
211(2)
Maintainability
213(1)
Good Assemblies
213(12)
Strong Names
214(1)
Public Key Cryptography in a Nutshell
215(1)
How to Sign an Assembly with a Strong Name
215(5)
Authenticode and Strong Names
220(4)
Assembly Security Attributes
224(1)
Summing Up Assembly Security
225(1)
Write Securable Code
225(2)
The Big Checklist
227(6)
Even Good Software Security is Not Enough
233(2)
Physical Security
234(1)
Trusting too Much
234(1)
Summary
235(4)
Spot the Security Bug!
239(22)
Spot the Security Flaw #1: Calling Unmanaged Code
240(7)
Spot the Security flaw #2: Playing Games
247(3)
Spot the Security Flaw #3: Server Code
250(8)
Now Spot the Security Flaws in Your Code
258(3)
Appendix A: A Brief Explanation of Public Key Cryptography 261(10)
Jargon
261(1)
Symmetric Cryptosystems
262(1)
Asymmetric Cryptosystems
263(8)
Performance Considerations
268(1)
Combining Symmetric and Asymmetric Cryptosystems
268(1)
Public Key Cryptography and Strong Names
269(1)
Secure Transmission is Not Important
269(2)
Appendix B: Using ILDASM to View IL 271(4)
Appendix C: Support, Errata, and Code Download 275(4)
How to Download the Sample Code for the Book
275(1)
Errata
276(1)
E-Mail Support
276(1)
p2p.wrox.com
277(2)
Index 279

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.