This documentation is archived and is not being maintained.

Security (C# Programming Guide)

Security is an indispensable aspect of every C# applications, and must be considered at every phase of development: not merely when design and implementation are complete.

This list is in not an exhaustive list of potential security problems. It highlights some common issues of which C# developers need to be aware.

  • Use the checked keyword to control the overflow-checking context for integral-type arithmetic operations and conversions.

  • Always use the most restrictive data type for parameters. For example, when passing a value into a method that describes the size of a data structure, use unsigned integer rather than integer.

  • Do not make decisions based on filenames. Filenames can be expressed in many different ways, and your test for a particular file may be bypassed.

  • Never, ever hardcode passwords or other sensitive information into your application.

  • Always validate input that is used to generate SQL queries.

  • Validate all inputs into your methods. The regular expression methods in System.Text.RegularExpressions namespace are useful for confirming input is of the correct form, such as an email address.

  • Don't display exception information: it provides any would-be attacker with valuable clues.

  • Ensure your application works while running with the least possible privileges. Few applications require a user to be logged in as an administrator.

  • Don't use your own encryption algorithms, use the System.Security.Cryptography classes.

  • Give your Assemblies strong names.

  • Don't store sensitive information in XML or other configuration files.

  • Check managed code that wraps native code carefully. Confirm the native code is secure, especially with regard to buffer overruns.

  • Use caution when using delegates passed from outside your application.

  • Run FxCop on your assemblies to ensure compliance with Microsoft .NET Framework Design Guidelines. FxCop can also find and warn against over 200 code defects.