In today’s world, security is a very serious issue, one that developers all too often view as being SEP—someone else’s problem. I’d ascribe this state of affairs to, among other things, the fact that security very often deals with specific, rather rarified skills like cryptography that many of us on the technology treadmill don’t have the time to adequately absorb in between learning all the new tricks offered by the slick new version of our chosen development platform. For .NET developers, there’s .NET Security, a surprisingly small and concise book from Apress on securing applications written for the .NET platform.

.NET Security

By Jason Bock, Pete Stromquist, Tom Fischer, and Nathan Smith
336 pages
Cover $44.95
Apress 2002
ISBN #1-59059-053-8
Highs: Well-written introduction to security tools and concepts for .NET
Lows: A few annoying source code errors. Not a lot of depth; basically a technology survey

In a relatively short 336 pages, .NET Security’s gaggle of four authors manage to impart a decent working knowledge of the .NET platform’s security features using a fun, informal style that’s entertaining and easy to read. The authors by and large take a teach-by-example approach for concepts as well as for code, which works very well.

The first few chapters concentrate on cryptography itself. The book begins with a general overview of cryptography and discussions of the various encryption methods and standards in use today. Later chapters build upon the foundation laid in chapter 1, and if you don’t happen to have a background in cryptography, or don’t know symmetric encryption from cipher text stealing, you’ll want to study these early chapters and take copious notes. Otherwise you’ll find yourself constantly thumbing back to look up the three-letter acronyms used later in the text.

In chapter 2, the discussion of cryptography is turned specifically to .NET; here you’ll meet and learn to use the various .NET cryptography classes. Chapter 3 introduces XML encryption and signatures. Many code examples are thrown in to help keep things clear, but I think most of the topics could have benefited from a bit more discussion.

From cryptography to security
Beginning with chapter 4, .NET Security switches gears, beginning to concentrate more on security mechanisms than on cryptography. Chapters 4 and 5 respectively cover the built-in code access and role access security features of the .NET framework that provide a permission-and-request model for securing access to a system and its resources. Remote security is introduced in chapter 6, which begins with a brief overview of .NET’s remoting capabilities and wraps up with discussions of authentication, authorization, and impersonation.

Chapter 7 briefly deals with ASP.NET security. It provides some of the information you’ll need to secure Web applications running on IIS. You’ll want to look elsewhere for a comprehensive ASP.NET security guide, though, as the information relayed here is rather broad and general. However, this is understandable as doing justice to a topic as complex as security under ASP.NET would really require an entire book.

Chapter 8 discusses Passport, which will certainly be of interest to Web and Web service developers. The book concludes with a short discussion of code obfuscation and tips on preventing decompilation of your assemblies in chapter 9.

A great introduction
I liked this book, though it’s not without its share of problems. For one thing, there are some minor problems with the source code examples. There are simple misspellings that are easy to figure out, but they do tend to make the cryptographic examples, in particular, rather cryptic, if you’ll pardon the pun. For another, some of the source code examples don’t seem to have enough detail to be clear. I found myself rereading entire sections to figure out why a few of the examples worked the way they did. Granted, I’m no security or cryptography expert, but shouldn’t the measure of an introductory book be how clear it makes things for a novice? Viewed in this light, there could be some improvements made.

In contrast, the conceptual examples are quite clear. I particularly enjoyed the discussion of the security problems with COM interfaces that was used as a lead-in to code access security in chapter 4. I’m not sure which of the four authors was responsible for the humor, but whoever it was should be lauded for lightening up what could otherwise have been an obscenely dull read.

Overall, .NET Security is not the authoritative book on all aspects of .NET security, but the blurbs on the back cover really don’t promote it as such. What it is, however, is a nicely crafted introductory guide to many of the tools and concepts you’ll need to understand to take advantage of .NET’s new security features.