.NET news » Security

Provides architectural, design, and implementation guidance for Web service security by using Web Services Enhancements (WSE) 3.0. Includes scenarios, patterns, decision matrices, and QuickStarts to help you make the most appropriate security decisions.

Security Briefs: Encrypting Without Secrets

Online Article: Manage Custom Security Credentials the Smart (Client) Way

Both Internet and intranet applications often require a custom store for user accounts and roles. ASP.NET 2.0 provides an out-of-the-box provider model as well as a SQL Sever database just for that propose. Unfortunately, the only way to administer the credentials databases is via Visual Studio 2005, and only for local Web applications. This article presents a full-blown custom security management application that administrators can use. The application wraps the ASP.NET 2.0 providers with a Web service and even adds missing features. This article presents the design approaches, challenges, and techniques involved in developing such an application. The article also walks you through some powerful yet useful techniques such as interface-based Web services, reflection-based Web service compatibility, advanced C# 2.0, Web services security, and Web services transactions.

Code access security (CAS) is based on the identity of the code that is running. In this article, Mike Downen discusses the role of CAS in .NET, and outlines some key new features and changes in CAS for the .NET Framework 2.0.

When you allow your application to run arbitrary code through an add-in, you may expose users to unknown code, running the risk that malicious code will use your application as an entry point into the user's data. There are several techniques you can use to reduce the attack surface of your application, which Shawn Farkas discusses here.

Ensuring the security of a Web application is critical and requires careful planning throughout the design, development, deployment, and operation phases. It is not something that can be slapped onto an existing application. In this article, Michael Volodarsky outlines best practices that allow you to take advantage of the security features of ASP.NET 2.0 and IIS 6.0 to build and deploy more secure Web applications.

Here Dino Esposito and Andrea Saltarello cover the plumbing of the Membership API and its inherently extensible nature, based on pluggable providers. To demonstrate the features, they take an existing ASP.NET 1.x authentication mechanism and port it to ASP.NET 2.0, exposing the legacy authentication mechanism through the new Membership API.

In this article, Niels Flensted-Jensen demonstrates how you can combine new and existing Microsoft technologies with minimal new code to provide flexible authorization for individual Web service methods. Windows 2003 Authorization Manager, Web Service Enhancements 3.0, and Enterprise Library all play a part.

In this article, Microsoft security expert Michael Howard outlines how to apply the Security Development Lifecycle to your own software development processes. He explains how you can take some of the lessons learned at Microsoft when implementing SDL and use them in your own development process.

Editor's Note: Many Levels of Security