MSDN Magazine > Issues and Downloads > 2003 >  MSDN Magazine November 2003
November2003 November 2003
Protect It: Safeguard Database Connection Strings and Other Sensitive Settings in Your Code
Protecting application secrets, such as database connection strings and passwords, requires careful consideration of a number of pertinent factors such as how sensitive the data is, who could gain access to it, how to balance security, performance, and maintainability, and so forth. This article explains the fundamentals of data protection and compares a variety of techniques that can be used to protect application settings. The author discusses what to avoid, such as hiding keys in source code and the use of Local Security Authority. In addition, he presents some effective solutions such as the Data Protection API. Alek Davis
Encrypt It: Keep Your Data Secure with the New Advanced Encryption Standard
The Advanced Encryption Standard (AES) is a National Institute of Standards and Technology specification for the encryption of electronic data. It is expected to become the accepted means of encrypting digital information, including financial, telecommunications, and government data. This article presents an overview of AES and explains the algorithms it uses. Included is a complete C# implementation and examples of encrypting .NET data. After reading this article you will be able to encrypt data using AES, test AES-based software, and use AES encryption in your systems. James McCaffrey
Authorize It: Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager
Authorization Manager in Windows Server 2003 represents a significant improvement in the administration of role-based security, making it more scalable, flexible, and easier to implement. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory. Authorization Manager also includes an easy-to-use API for running access checks. The author discusses all of these topics and demonstrates them with a working sample. Keith Brown
Review It: Expert Tips for Finding Security Defects in Your Code
Reviewing code for security defects is a key ingredient in the software creation process, ranking alongside planning, design, and testing. Here the author reflects over his years of code security reviews to identify patterns and best practices that all developers can follow when tracking down potential security loopholes. The process begins by examining the environment the code runs in, considering the roles of the users who will run it, and studying the history of any security issues the code may have had. After gaining an understanding of these background issues, specific vulnerabilities can be hunted down, including SQL injection attacks, cross-site scripting, and buffer overruns. In addition, certain red flags, such as variable names like "password", "secret," and other obvious but common security blunders, can be searched for and remedied. Michael Howard
Secure It: WS-Security and Remoting Channel Sinks Give Message-Level Security to Your SOAP Packets
As more organizations adopt XML-based Web Services, the need for message-level security has become evident. WS-Security, now supported in the Microsoft .NET Framework, addresses this need. Using the WS-Security framework, developers can implement channel sinks to intercept Remoting messages as they pass through the .NET Remoting infrastructure. The sink can read the message, change it, and pass it along. During this process, the message can be signed for added security. This article explains how to implement a Remoting channel sink that will modify the Remoting message by including a UserName token in the header, then sign the body using the token. Neeraj Srivastava
Obfuscate It: Thwart Reverse Engineering of Your Visual Basic .NET or C# Code
One of the advantages of the .NET architecture is that assemblies built with it contain lots of useful information that can be recovered using ILDASM, the intermediate language disassembler. A side effect, though, is that someone with access to your binaries can recover a good approximation of the original source code. Here the authors present program obfuscation as a way to deter reverse engineering. In addition, they discuss the different types of obfuscation technologies available and demonstrate the new obfuscation tool that is included in Visual Studio .NET 2003. Gabriel Torok and Bill Leach
Code Download (1,292 KB)
.Chm Files

Columns
Editor's Note: Security and Whips
Last September, MSDN Magazine published its first-ever issue devoted entirely to the topic of security. Feedback was so positive that we thought "Hey! We can do this again next year!" It's this kind of forward thinking that's behind this year's security issue.
New Stuff: Resources for Your Developer Toolbox
Desaware is shipping CAS/Tester (automated code access security testing) for Visual Studio® . NET. CAS/Tester was developed to address the issue of security constraints as software is deployed through the Internet, intranets, and other distribution channels. Theresa W. Carey
Web Q&A: Secure Passwords, Nested XML, and More
Edited by Nancy Michell
Data Points: SQL Server User-defined Functions
John Papa
Cutting Edge: Custom Provider Controls
Dino Esposito
The XML Files: XML in Microsoft Office Word 2003
Aaron Skonnard
Advanced Basics: SQL Server Metadata
Ken Spencer
The ASP Column: ATL Server Versus ASP.NET
George Shepherd
Bugslayer: Google from Visual Studio .NET
John Robbins
C++ Q&A: Menu Tips in an MFC App
Paul DiLascia
Resource File: Threat Model Your Security Risks
Page view tracker