November2004November 2004

Attack Surface: Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users

In this article, Microsoft security expert Michael Howard discusses the cardinal rules of attack surface reduction. His rules - reduce the amount of code executing by default, reduce the volume of code that is accessible to untrusted users by default, and limit the damage if the code is exploited - are explained along with the techniques to apply the rules to your code. Michael Howard

App Lockdown: Defend Your Apps and Critical User Info with Defensive Coding Techniques

Whether you're storing database connection strings, user credentials, or logon info, you'll need to practice good defensive programming techniques to avoid those surprise situations in which your data is exposed. In this article, author Kenny Kerry shows you how. Kenny Kerr

Cryptography: Employ Strong Encryption in Your Apps with Our CryptoUtility Component

When storing sensitive data, you need to be able to identify threats, determine how these threats interact with each other, and how issues can combine to constitute a vulnerability that will leave your data exposed. With a good understanding of the various cryptographic algorithms, salt, hashes, ACLs, and other available techniques, you'll be in a better position to protect your critical data. Michael Stuart and J Sawyer

Trustworthy Code: Exchange Data More Securely with XML Signatures and Encryption

You can sign any kind of data using XML Signature, including part of an XML document, other XML documents, or other data of any format. However, in practice, XML signatures are most frequently used to sign other data represented in XML. In this article, the authors discuss the new standard and how you can benefit from it in your apps. Mike Downen and Shawn Farkas

Safety in Windows: Manage Access to Windows Objects with ACLs and the .NET Framework

Until now, Microsoft did not provide explicit support in the .NET Framework for manipulating security settings. With the .NET Framework 1.x, access can only be granted to users via a series of cumbersome P/Invoke calls. By introducing the concepts of security objects and rules, the .NET Framework 2.0 allows developers to manipulate security settings of objects in a few easy steps using managed code. Want to know more? Read on. Mark Novak

Intrusion Prevention: Build Security Into Your Web Services with WSE 2.0 and ISA Server 2004

Once you've addressed security in your code, it's time to look at the environment it runs in. Firewalls stop unauthorized traffic from getting into your network, and smart Web service-specific firewalls, like the one that comes with Internet Security and Acceleration (ISA) Server 2004, bring XML intrusion prevention to your system for that added layer of safety. Dino Esposito

Code Download (1,868 KB)
.Chm Files


Editor's Note: Vote Early and Often for MSDN Magazine
As this issue of MSDN Magazine goes to press, Election Day is drawing near. Like many candidates for office, this magazine sports some bold cover lines and bright, appealing pictures. Unlike those same politicians, however, we will keep working for you month after month, year after year, even after you elect to purchase the magazine.
New Stuff: Resources for Your Developer Toolbox
Jungo Software Technologies has announced the release of Go-HotSwap 6. 22, a complete off-the-shelf software package offering a solution for hardware vendors, system integrators, and operating system vendors, aiming to provide hot-swap capabilities to their users. Nancy Michell
Web Q&A: ADO.NET Joins, HTML to XHTML, ASP.NET ViewState, and More
Edited by Nancy Michell
Data Points: Updating Data in Linked Servers, Information Schema Views, and More
Every day a developer somewhere needs to write code to iterate through SQL Server™ system objects, query and update tables in linked servers, handle optimistic concurrency, and retrieve column and stored procedure metadata. John Papa
Test Run: API Test Automation in .NET
The most fundamental type of software test automation is automated API testing. API testing essentially entails testing the individual methods that make up a software system rather than testing the overall system itself. James McCaffrey
Advanced Basics: Digital Grandma
As a parent of a young child, I take a lot of pictures—many more than anyone would ever be interested in seeing. Well, anyone except my mother. This is her first grandchild and the one or two pictures I send to her each week only brush the surface of her grandmotherly needs. Duncan Mackenzie
Cutting Edge: The ASP.NET 2.0 Wizard Control
ASP.NET has a lot to offer to both the low-level programmer willing to control every little step of the code and the busiest of developers who needs to point-and-click his way through Web app development using just a few existing components.Dino Esposito
Service Station: Improving Web Service Interoperability
If interoperability is the main promise of Web services, why is it that so many developers and organizations have a difficult time achieving it in practice? With all due respect to our hard-working standards bodies, the primary culprits are the imperfect specifications guiding today's implementations. Aaron Skonnard
.NET Matters: ThreadPoolPriority, and MethodImplAttribute
Stephen Toub
C++ Q&A: Calling Virtual Functions, Persisting View State, POD Type
Paul DiLascia
{End Bracket}: A Tidal Wave of Change
I surf the Net somewhat obsessively when I have spare time, and I often read various discussion forums such as Slashdot and Neowin. Now, the journalism at those sites isn't always the highest quality, and I have noticed a marked lack of perspective on the level of changes that have occurred in this industry. Larry Osterman