Developing Applications by Using Security Best Practices |
Develop code under a least privilege account within the development environment
Configure the Microsoft .NET development environment and operating system |
Select the appropriate privileges |
|
Develop code that runs under a least privilege account at run time
Develop code to run under a least privilege account that does not have administrator privileges |
Use least privilege for access to resources such as the file system, registry entries, and database |
|
Analyze security implications of calling unknown code
Write code to verify that the identity of a COM component matches the identity expected |
Validate that data to and from third-party components conforms to the expected size, format, and type |
Test for integrity of data after transmission |
Evaluate unmanaged code |
|
Write code that addresses failures in a manner that does not compromise security
Write code that defaults to a permission set that is more secure than the permission set that existed before the errors or issues occurred |
Create error messages that do not compromise security |
|
Develop code that includes security measures in each tier of the solution, also known as defense in depth |
Implement application functionality to apply defaults that minimize security threats |
Write code to prevent canonicalization problems
Create canonical references for resources |
Validate that a reference is canonical |
|
Validate external input at every boundary level to prevent security problems
Write code to test strings by using regular expressions |
Write code to test the size of data |
Write code to prevent SQL injection and cross-site scripting |
|
Developing .NET Applications That Include Security Enhancements |
Implement security by using application domains |
Implement authentication
Implement a custom authentication mechanism in a Windows Forms application |
Implement an appropriate Web application or Web service authentication mechanism to accommodate specific application security requirements |
Implement functionality by consuming authenticated user information such as the IPrincipal, Membership, and Identity components of the .NET base class library |
|
Write authorization code
Programmatically control access to functionality and data by using user information such as user identity, group membership, and other custom user information |
Control access to Web applications by using URL authorization |
Programmatically control access to functionality and data by using identities or criteria that are independent of user identity |
|
Sign data by using certificates |
Implement data protection
Use .NET cryptographic techniques
Encrypt and decrypt data by using symmetric and asymmetric cryptographic functions |
Compute hashes by using cryptographic functions |
Write code to create cryptographically random numbers for cryptographic functions |
|
Protect data in files and folders by creating, modifying, and deleting discretionary access control list (DACL) or security access control list (SACL) entries |
Encrypt and decrypt data by using the Data Protection API (DPAPI) |
|
Implement security for an application or shared library by using .NET code access security.
Demand a code access permission such as FileIOPermission |
Group code access permissions into a permission set |
Override code access security checks |
Protect a resource in a library |
Specify the permission requests of an application |
Customize code access security |
|
Access remote functionality in a manner that minimizes security risks
Use Web Services Enhancements for Microsoft .NET (WSE), such as WS-Security and WS-Interoperability |
Configure .NET remoting for security |
|
Configuring Application Security by Using the Microsoft .NET Framework and Operating System Tools |
Work with .NET Security policies. Tools include the .NET Framework Configuration tool and the Code Access Security Policy tool |
Analyze the code access permissions of an assembly by using the Permissions View tool |
Configure security by using IIS and ASP.NET
Understand the security implications of impersonation |
Configure ASP.NET impersonation |
Configure Web folder permissions |
Set appropriate permissions on Web application files |
Configure a Web page or Web service to use SSL/TLS |
|
Stabilizing and Releasing Applications in a Manner That Minimizes Security Risks |
Perform unit testing on applications and components to identify security vulnerabilities |
Release applications in a manner that minimizes security risks
Evaluate when to sign an assembly |
Implement delayed signing |
Create a strong named assembly |
Configure security settings by using the .NET Framework Configuration tool and the Code Access Security Policy tool at deployment |
|
