Security (C# Programming Guide) 

Security is an indispensable aspect of every C# applications, and must be considered at every phase of development: not merely when design and implementation are complete.

C# Specific Security Recommendations

This list is in not an exhaustive list of potential security problems. It highlights some common issues of which C# developers need to be aware.

• Use the checked keyword to control the overflow-checking context for integral-type arithmetic operations and conversions.

• Always use the most restrictive data type for parameters. For example, when passing a value into a method that describes the size of a data structure, use unsigned integer rather than integer.

• Do not make decisions based on filenames. Filenames can be expressed in many different ways, and your test for a particular file may be bypassed.

• Never, ever hardcode passwords or other sensitive information into your application.

• Always validate input that is used to generate SQL queries.

• Validate all inputs into your methods. The regular expression methods in System.Text.RegularExpressions namespace are useful for confirming input is of the correct form, such as an email address.

• Don't display exception information: it provides any would-be attacker with valuable clues.

• Ensure your application works while running with the least possible privileges. Few applications require a user to be logged in as an administrator.

• Don't use your own encryption algorithms, use the System.Security.Cryptography classes.

• Give your Assemblies strong names.

• Don't store sensitive information in XML or other configuration files.

• Check managed code that wraps native code carefully. Confirm the native code is secure, especially with regard to buffer overruns.

• Use caution when using delegates passed from outside your application.

• Run FxCop on your assemblies to ensure compliance with Microsoft .NET Framework Design Guidelines. FxCop can also find and warn against over 200 code defects.

In This Section

The following MSDN topics provide in-depth information on creating secure, reliable software.

• Microsoft Security Developer Center.

• Defend Your Apps and Critical User Info with Defensive Coding Techniques.

• An Overview of Security in the .NET Framework.

• Defend Your Code with Top Ten Security Tips Every Developer Must Know.

• Security Brief: Beware of Fully Trusted Code.

• Programmatically check for canonicalization issues with ASP.NET.

• Security in Windows Forms Overview

• Writing Secure Managed Controls

See Also

Concepts

C# Programming Guide