|
Security for Visual Basic Programmers
As computer systems become increasingly interconnected, computer users and IT professionals are more and more concerned about security, and developers increasingly want to dive right into learning the latest security techniques. But as with skydiving, learning to create trustworthy code by trial and error is dangerous. This book simplifies the learning
process by providing clear recommendations about best practices, step-by-step code walk-throughs, and concise explanations of key security terms, issues, and jargon for developers who work in Visual Basic. Programmers learn how to configure security tools, add security features to applications, and securely deploy and run applications created with Visual Basic .NET for both Microsoft Windows and the Web. Along the way, readers master common security principles and techniques, such as how to do private key encryption, implement a login screen, configure Microsoft .NET policy tools, and perform a security audit.
Table of contents :
PART I DEVELOPMENT TECHNIQUES
1 Encryption 3
Practice Files 5
Hash Digests 6
Private Key Encryption 11
Keeping Private Keys Safe 17
Public Key Encryption 19
Hiding Unnecessary Information 22
Encryption in the Real World 24
Summary 25
2 Role-Based Authorization 27
Role-Based Authorization Exercise 31
Windows Integrated Security 34
ASP.NET Authentication and Authorization 38
Role-Based Authorization in the Real World 41
Summary 42
3 Code-Access Security 45
How Actions Are Considered Safe or Unsafe 46
What Prevents Harmful Code from Executing? 47
It's On By Default 47
Security Features and the Visual Basic .NET Developer 48
Code-Access Security vs. Application Role-Based Security 49
Code-Access Security Preempts Application Role-Based Security 49
Run Your Code in Different Security Zones 51
What Code-Access Security Is Meant to Protect 55
Permissions - The Basis of What Your Code Can Do 55
Ensuring That Your Code Will Run Safely 66
Cooperating with the Security System 68
Code-Access Security in the Real World 72
Summary 73
4 ASP.NET Authentication 75
EmployeeManagementWeb Practice Files 77
Forms Authentication 77
Windows Integrated Security Authentication 84
Passport Authentication 88
Install the Passport SDK 90
ASP.NET Authentication in the Real World 98
Summary 98
5 Securing Web Applications 99
Secure Sockets Layer 102
How SSL Works 103
Securing Web Services 107
Implementing an Audit Trail 113
Securing Web Applications in the Real World 116
Summary 116
PART II ENSURING HACK-RESISTANT CODE
6 Application Attacks and How to Avoid Them 121
Denial of Service Attacks 122
Defensive Techniques for DoS Attacks 123
File-Based or Directory-Based Attacks 127
Defensive Technique for File-Based or Directory-Based Attacks 128
SQL-Injection Attacks 132
Defensive Techniques for SQL-Injection Attacks 135
Cross-Site Scripting Attacks 141
When HTML Script Injection Becomes a Problem 145
Defensive Techniques for Cross-Site Scripting Attacks 148
Child-Application Attacks 151
Defensive Technique for Child-Application Attacks 153
Guarding Against Attacks in the Real World 155
Summary 156
7 Validating Input 157
Working with Input Types and Validation Tools 158
Direct User Input 158
General Language Validation Tools 165
Web Application Input 172
Nonuser Input 174
Input to Subroutines 177
Summary 181
8 Handling Exceptions 183
Where Exceptions Occur 184
Exception Handling 186
Global Exception Handlers 192
Exception Handling in the Real World 195
Summary 196
9 Testing for Attack-Resistant Code 197
Plan of Attack - The Test Plan 198
Brainstorm - Generate Security-Related Scenarios 200
Get Focused - Prioritize Scenarios 204
Generate Tests 206
Attack - Execute the Plan 208
Testing Approaches 208
Testing Tools 213
Test in the Target Environment 217
Make Testing for Security a Priority 218
Common Testing Mistakes 218
Testing Too Little, Too Late 218
Failing to Test and Retest for Security 219
Failing to Factor In the Cost of Testing 220
Relying Too Much on Beta Feedback 220
Assuming Third-Party Components Are Safe 220
Testing in the Real World 221
Summary 222
PART III DEPLOYMENT AND CONFIGURATION
10 Securing Your Application for Deployment 225
Deployment Techniques 226
XCopy Deployment 226
No-Touch Deployment 227
Windows Installer Deployment 227
Cabinet-File Deployment 228
Code-Access Security and Deployment 230
Deploy and Run Your Application in the .NET Security Sandbox 231
Certificates and Signing 232
Digital Certificates 232
Authenticode Signing 235
Strong-Name Signing 238
Authenticode Signing vs. Strong Naming 242
Strong Naming, Certificates, and Signing Exercise 243
Deploying .NET Security Policy Updates 254
Update .NET Enterprise Security Policy 254
Deploy .NET Enterprise Security Policy Updates 259
Protecting Your Code - Obfuscation 264
Obscurity Security 265
Deployment Checklist 266
Deployment in the Real World 267
Summary 268
11 Locking Down Windows, Internet Information Services, and .NET 269
"I'm Already Protected. I'm Using a Firewall." 270
Fundamental Lockdown Principles 271
Automated Tools 273
Locking Down Windows Clients 275
Format Disk Drives Using NTFS 275
Disable Auto Logon 275
Enable Auditing 276
Turn Off Unnecessary Services 276
Turn Off Unnecessary Sharing 276
Use Screen-Saver Passwords 277
Remove File-Sharing Software 277
Implement BIOS Password Protection 277
Disable Boot from Floppy Drive 278
Locking Down Windows Servers 278
Isolate Domain Controller 278
Disable and Delete Unnecessary Accounts 278
Install a Firewall 279
Locking Down IIS 279
Disable Unnecessary Internet Services 279
Disable Unnecessary Script Maps 279
Remove Samples 280
Enable IIS Logging 280
Restrict IUSR_ 280
Install URLScan 280
Locking Down .NET 280
Summary 281
12 Securing Databases 283
Core Database Security Concepts 284
SQL Server Authentication 284
Determining Who Is Logged On 288
How SQL Server Assigns Privileges 289
SQL Server Authorization 291
Microsoft Access Authentication and Authorization 291
Microsoft Access User-Level Security Models 292
Locking Down Microsoft Access 297
Locking Down SQL Server 298
Summary 300
PART IV ENTERPRISE-LEVEL SECURITY
13 Ten Steps to Designing a Secure Enterprise System 303
Design Challenges 304
Step 1: Believe You Will Be Attacked 305
Step 2: Design and Implement Security at the Beginning 306
Step 3: Educate the Team 307
Step 4: Design a Secure Architecture 307
Named-Pipes vs. TCP-IP 310
If You Do Nothing Else 311
Step 5: Threat-Model the Vulnerabilities 311
Step 6: Use Windows Security Features 312
Step 7: Design for Simplicity and Usability 312
Step 8: No Back Doors 314
Step 9: Secure the Network with a Firewall 314
Step 10: Design for Maintenance 316
Summary 317
14 Threats - Analyze, Prevent, Detect, and Respond 319
Analyze for Threats and Vulnerabilities 320
Identify and Prioritize 321
Prevent Attacks by Mitigating Threats 326
Mitigating Threats 326
Detection 329
Early Detection 329
Detecting That an Attack Has Taken Place or Is in Progress 330
Respond to an Attack 333
Prepare for a Response 334
Security Threats in the Real World 334
Summary 335
15 Threat Analysis Exercise 337
Analyze for Threats 337
Allocate Time 338
Plan and Document Your Threat Analysis 339
Create a Laundry List of Threats 339
Prioritize Threats 344
Respond to Threats 346
Summary 347
16 Future Trends 349
The Arms Race of Hacking 350
No Operating System Is Safe 352
Cyber-Terrorism 352
What Happens Next? 354
Responding to Security Threats 356
Privacy vs. Security 356
The IPv6 Internet Protocol 359
Government Initiatives 360
Microsoft Initiatives 360
Summary 362
A Guide to the Code Samples
|
