.NET news » Security

Juval Lowy designs easily configured security settings for applications built on Windows Communication Foundation.

This article explains how to authenticate a user over LDAPS using the System.DirectoryServices.Protocols.LdapConnection class, performing custom certificate validation.

Think of this article as a beginners guide to think about design and security when solving problems.

As developers assume more of the security burden, the first web application vulnerability that many developers learn about is a particularly dangerous form of command injection known as SQL injection. Command injection in its archetypal form is any vulnerability that allows an attacker to run an unintended command on your server by providing unanticipated input that alters the way you intended the web application to run. Because it's so well-known, SQL injection attacks are common, dangerous, and pervasive. Fortunately, you can prevent SQL injection easily once you understand the problem. Even better, a new Microsoft data access technology offers .NET developers the opportunity to eliminate SQL injection vulnerabilities altogether—when used properly. That technology is called Language Integrated Query (LINQ), and it will ship in the upcoming release of Visual Studio "Orcas" and .NET Framework 3.5. This article explores LINQ's potential for hardening your web application's data access code so that it's impossible to attack through SQL Injection.

In this second part of a two-part series, you will learn about application security issues related to authentication and authorization, as well as five vulnerabilities commonly found in ASP.NET web-based applications.

If you're not taking advantage of Active Directory, you should be. Learn the benefits from Keith Brown.

Windows Vista introduces a new cryptography API to replace the old CryptoAPI, which has its roots in the early versions of Windows NT and Windows 95. Cryptography Next Generation (CNG) is meant to be a long-term replacement for the CryptoAPI, providing substitutes for all of the cryptographic primitives it offered. CNG supports all of the algorithms provided by the CryptoAPI, but goes much further and includes many new algorithms and a much more flexible design, providing developers with greater control over how cryptographic operations are performed and how algorithms work together to perform various operations.

In part one of this two part article, you will learn about five of the top ten "worst offenders" of misconfigurations of application security that can cause overall problems for ASP.NET Web-based applications. Learn more about how to secure the Web.config files of an ASP.NET application.

The Cryptography API: Next Generation(CNG) is a new and agile framework in Windows Vista, which implements an extensible provider model that allows you to load a provider by specifying the required cryptographic algorithm rather than having to hardcode a specific provider.

The advantage is that an algorithm provider can be replaced or upgraded and you will not have to change your code in any way to use the new provider. Also, if some algorithm is determined to be unsafe in the future, a more secure version of that algorithm can be installed with no effect to your code. To facilitate this, you load a CNG provider by identifying the cryptographic algorithm that you require, not the specific provider. Most of the CNG APIs require a provider or an object created by a provider.

In this article, I try to describe the new security feature Cryptography API: Next Generation(CNG) and compare it with an RSA and AES samples, both managed and unmanaged, using "Crypto API" (CAPI before Vista) and how it can be implemented using CNG in Windows Vista. Managed version of CNG is yet to come, if you feel like you want more, wait for the next release of Visual Studio "Orcas".

Elliptic Curve cryptography is the current standard for public key cryptography, and is being promoted by the National Security Agency as the best way to secure private communication between parties. Microsoft has both good news and bad news when it comes to using Elliptic Curve encryption algorithms. The good news is that it is natively supported in the Vista operating system through CNG (Cryptography API Next Generation). The bad news is that a managed library for using EC will not be available until the release of Visual Studio Orcas, which is currently slated for the end of 2007 or the beginning of 2008.

The code in the attached project attempts to fill this gap by providing a wrapper class that will give you access to the underlying Vista Crypto API, as well as offer simple methods for leveraging the Elliptic Curve algorithms. It is intended for educational purposes only, however, and requires much more testing and refactoring before it can be used in any serious way. In other words, please play with it, copy it, and manipulate it in any way you like, but don't use it in its current form to lift any heavy machinery.