Security and Programming (C# and Visual Basic)
Developers need to address key security issues as they begin working with the .NET Framework. This overview discusses both Windows and Web applications, and the implementation, debugging, and deployment phases of development.
Visual Studio provides you with control over the security of running applications. While you have control with the .NET Framework, that control requires that you think about your programming with an eye on security. There are security issues that you need to address to create friendly and usable applications for your users.
There are three common situations where you will need to address security concerns:
Permissions: The user running your application may deny privileges to your application. Such a situation can happen because your application is running from a location that the user has specified not to be allowed access to some system resources. For example, the user can configure the common language runtime to deny file privileges to any application that is stored on a network drive. You need to be aware of this in your work, and you should write code that responds gracefully to denials. For more information, see .NET Framework Security Policy.
Web Applications: Users accessing your Web applications from your Web servers need to be prevented from running malicious code or corrupting data on your servers. For more information, see ASP.NET Security.
Setup of Visual Studio: The way you set up Visual Studio can leave your server more or less at risk from attacks by malicious code.
Securing resources is a process that spans several technologies and the entire development cycle. Through careful design, implementation, testing, and deployment of applications, you can create very secure applications. Security technologies, provided by ASP.NET, the operating system, and Web browsers are available to secure your applications.
This list is not an exhaustive list of potential security problems. It describes some common issues for Visual Basic and C# developers.
Ensure that integer overflow checking is enabled. In C#, you can enable this by using the checked keyword or the Advanced Build Settings Dialog Box (C#). In Visual Basic, you can use the Advanced Compiler Settings Dialog Box (Visual Basic).
Always use the most restrictive data type for parameters. For example, when you pass a value to a method that describes the size of a data structure, use unsigned integer rather than integer.
Do not make decisions based on file names. File names can be expressed in many different ways, and your test for a particular file may be bypassed.
Never, ever hardcode passwords or other sensitive information into your application.
Always validate input that is used to generate SQL queries.
Validate all inputs into your methods. The regular expression methods in the System.Text.RegularExpressions namespace are useful for confirming that input is of the correct form, such as an e-mail address.
Do not display exception information: it provides any would-be attacker with valuable clues.
Ensure that your application works while running with the least possible permissions. Few applications require that a user be logged in as an administrator.
Do not use your own encryption algorithms. Use the System.Security.Cryptography classes.
Give your assemblies strong names.
Do not store sensitive information in XML or other configuration files.
Check managed code that wraps native code carefully. Confirm that the native code is secure.
Use caution when you use delegates passed from outside your application.
Run the Visual Studio code analysis tool on your assemblies to ensure compliance with Microsoft .NET Framework Design Guidelines. This tool can also find and warn against over 200 code defects. For more information, see Code Analysis for Managed Code Overview.
Provides an overview of .NET Framework security and describes coding techniques for a partial trust environment.
Describes Visual Studio tools that help to secure a development server.
Describes objects that are used to protect resources and operations from use by unauthorized users.