.NET Security
Any .NET development group should consider programming security of utmost importance since an IT organization has a fiduciary responsibility to safeguard all public and private information while accessing, storing, and processing this data. For this reason, .NET development should look at ASP.NET, Silverlight, WPF forms, intranet Web, and Internet Web applications with measures for increasing the level of security from external as well as internal threats.
The figure below (see Figure 1 below from Microsoft Security Guidelines: ASP.NET 2.0)
shows how a .NET development group secures against outside threats to Internet and internal web and WPF form applications. IT systems personnel handle firewall and host server set up and security that includes all relevant manufacturer and supplier best practice, update, and patch recommendations and configuration requirements. IT .NET development groups have the responsibility for best practices and security recommendations when developing and deploying primarily ASP.NET intranet and WPF applications. However, whenever a .NET development group develops and deploys WPF or ASP.NET intranet or Internet applications, the same responsibilities for best practices and security recommendations will be applicable.
The primary areas of concern for a .NET group's application development include:
• Input validation
• Authentication
• Authorization
• Configuration Management
• Sensitive Data
• Session Management
• Cryptography
• Parameter Manipulation
• Exception Management
• Auditing and Logging • SQL Injection
• Cross-site Scripting
Figure 1: The Microsoft .NET Security Model