.NET news » Security

Certificates are used in many places across the Microsoft .NET Framework, from secure communication to code signing to security policies. The .NET Framework 2.0 introduced revamped support for certificates and it added a completely new namespace for standards-compliant cryptographic operations with certificates. In this article, I will discuss the background for certificates and the Windows Certificate Store. I'll also show you how to work with the certificate APIs and how they are used by the Framework to implement security features.

Discussion of securing text in an application. The example project contains a SecureString wrapper to make working with SecureString easier, and a textbox that directly manipulates a SecureString.

Now that Windows Server 2003 is widely deployed, Keith Brown addresses questions from readers who are trying to use protocol transition to build secure gateways into their intranets.

Cross-site scripting attacks are platform and browser independent, and can allow malicious users to perform malicious actions such as gaining unauthorized access to client data like cookies or hijacking sessions entirely. Simple steps that developers can take to prevent XSS attacks in their ASP.NET applications include doing the following: 1. Validating and constraining input 2. Encoding output For defense in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The principle of inclusions approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements.

This article covers what the differences are between hashing, MAC and digital signatures. It presumes a certain level of knowledge about encryption methods especially the difference between symmetric and asymmetric encryption. The article does not cover how to perform encryption or about key management. There are some code examples on how to perform each of the technologies using C# in .NET v2.0.

The Enterprise Library Application Blocks aren't useful only in Windows Forms applications; you can use them in ASP.NET too by downloading a set of patch files and configuring the security settings appropriately. Find out how.

Windows Communication Foundation (WCF) is a secure, reliable, and scalable messaging platform for the .NET Framework 3.0.With WCF, SOAP messages can be transmitted over a variety of supported protocols including IPC (named pipes), TCP, HTTP and MSMQ. Like any distributed messaging platform, you must establish security policies for protecting messages and for authenticating and authorizing calls. This article will discuss how WCF accomplishes this.

• Why won't my simple Windows® Communication Foundation service start when I run it as a non-administrator?
• What is the best way to implement split knowledge and dual control of keys?

This article discusses some new threats to your SQL Web app that include modifying SQL statements or injecting SQL code even if the code has escaped the delimiting characters.

In this article, the author presents an extension to the Security Development Lifecycle Which could promote a better flow of information between users and designers of software security features.