.NET news » Security

Visual Studio's code analysis feature offers hidden extensibility opportunities for writing custom security code review rules.

An article about creating a public/private key encrypted internet messenger

PLINQ is a query execution engine that accepts any LINQ-to-Objects or LINQ-to-XML query and automatically utilizes multiple processors or cores for execution when they are available. The change in programming model is tiny, meaning you don't need to be a concurrency guru to use it. In fact, threads and locks won't even come up unless you really want to dive under the hood to understand how it all works. PLINQ is a key component of Parallel FX, the next generation of concurrency support in the Microsoft .NET Framework.

In this article, we review the goals of the PLINQ technology, where it fits into the broader .NET Framework and other concurrency offerings, and what it looks like from the perspective of LINQ developers. We conclude with some example scenarios where PLINQ has already shown tremendous value...

Most enterprise applications need some basic user security features. At a minimum, they need to authenticate their users, and many also need to authorize access to certain features so that only privileged users can get to them. Some apps must go further and audit what the user does. On Windows®, these features are built into the operating system and are usually quite easy to integrate into an application. By taking advantage of Windows integrated authentication, you don't have to invent your own authentication protocol or manage a user database. By using access control lists (ACLs), impersonation, and features such as groups, you can implement authorization with very little code. Indeed, this advice applies no matter which OS you are using. It's almost always a better idea to integrate closely with the security features in your OS rather than reinventing those features yourself.

But what happens when you want to extend reach to users who don't happen to have Windows accounts? What about users who aren't running Windows at all? More and more applications need this type of reach, which seems to fly in the face of traditional advice. This column will introduce you to the new identity model in the Microsoft .NET Framework 3.0, which is designed to help address these and other problems.

I'm using the System.Random class to generate some random numbers in my application. A coworker reviewed my code and suggested that I use RNGCryptoServiceProvider instead. I'd like to follow her suggestion, but I'd also like not to have to modify all of my code that uses Random, and RNGCryptoServiceProvider looks nothing like Random in terms of the methods it exposes. Do you have any suggestions for making this easier?..

Juval Lowy designs easily configured security settings for applications built on Windows Communication Foundation.

This article explains how to authenticate a user over LDAPS using the System.DirectoryServices.Protocols.LdapConnection class, performing custom certificate validation.

Think of this article as a beginners guide to think about design and security when solving problems.

As developers assume more of the security burden, the first web application vulnerability that many developers learn about is a particularly dangerous form of command injection known as SQL injection. Command injection in its archetypal form is any vulnerability that allows an attacker to run an unintended command on your server by providing unanticipated input that alters the way you intended the web application to run. Because it's so well-known, SQL injection attacks are common, dangerous, and pervasive. Fortunately, you can prevent SQL injection easily once you understand the problem. Even better, a new Microsoft data access technology offers .NET developers the opportunity to eliminate SQL injection vulnerabilities altogether—when used properly. That technology is called Language Integrated Query (LINQ), and it will ship in the upcoming release of Visual Studio "Orcas" and .NET Framework 3.5. This article explores LINQ's potential for hardening your web application's data access code so that it's impossible to attack through SQL Injection.

In this second part of a two-part series, you will learn about application security issues related to authentication and authorization, as well as five vulnerabilities commonly found in ASP.NET web-based applications.