Introduction

This book is an introduction to security for Visual Basic programmers. You’ll find it useful both as a prescriptive guide for writing secure applications and as a technical reference for how to actually implement security techniques in your own code. For example, in Chapter 1, “Encryption,” we explain what encryption is and when to use the different types of encryption, and we provide examples that show you how to actually encrypt and decrypt information.

Although there is already a wealth of information available about security, very little has been written that targets the Visual Basic programmer. In writing this book, we set out to change this. We have followed three principles that make this book better for the Visual Basic programmer than any other publication you will find on security:

• Make it simple Many security publications are shrouded in hard-to-understand jargon and difficult-to-work-out acronyms, and they assume you already have a background in security. This book is different: we spell out every acronym, use easy-to-understand language, and explain in clear terms each security concept.

• Clear guidance Some security books explain security techniques without telling you where or where not to use them. This book is different: we offer clear guidance on how, when, and where you should use each security technique.

• Complete assistance Although this is an introductory-level book, it covers everything from coding techniques to designing a secure architecture to performing a security audit. Our intention was to provide an end-to-end introductory guide for producing secure applications.

How to Use This Book

The authors of this book, like you, are Visual Basic programmers. We use straight, no-nonsense talk, offer clear and simple solutions, and provide step-by-step examples—written entirely in Visual Basic, of course. To make it easier to find what you’re looking for, this book is divided into four sections, each section dealing with a different aspect of security:

• Section 1 jumps straight into programming techniques such as encryption, role-based security, code access security, Microsoft ASP.NET authentication, and securing Web applications.

• Section 2 is about identifying threats to your Visual Basic .NET application and neutralizing them by safe-guarding input, properly handling exceptions, and testing your application for security vulnerabilities.

• Section 3 discusses how to lock down the environments that your application runs in or depends upon such as the Microsoft Windows operating system, Internet Information Services, .NET runtime, Microsoft SQL Server, and Microsoft Access databases. In addition, this section discusses how to lock down your application for deployment.

• Section 4 focuses on architecture, how to design secure systems, perform a security audit of your application, come up with a contingency plan, and execute the contingency plan if an intruder does make his or her way past the security measures you have put into place.

Microsoft Visual Basic .NET is built on a number of technologies, including the .NET platform, Microsoft Visual Studio .NET, and of course the Microsoft Visual Basic .NET compiler. For the sake of simplicity and brevity, unless the distinction is important, we refer to all of these technologies collectively as Microsoft Visual Basic .NET. As a Microsoft Visual Basic .NET developer, you don’t need to think about these composite technologies to get your job done.

How to Use the Code Samples

You’ll find many samples—both Windows Forms and ASP.NET Web applications—throughout this book that demonstrate important security concepts. The code samples are available on this book’s Web site at http://www.microsoft.com/mspress/books/6432.asp. To download the sample files, simply click the Companion Content link in the More Information menu on the right side of the Web page. This will load the Companion Content page, which includes links for downloading the sample files. To install the sample files, run the executable setup file downloaded from the Companion Content page, and follow the instructions in the setup program. A link to the sample code will be created on your Programs menu under Microsoft Press.

There are two sets of sample code, one set for Visual Basic .NET 2002 and one set for Visual Basic .NET 2003. The two sets are functionally equivalent; the reason for providing two sets is that Visual Basic .NET 2003 projects use a different file layout than Visual Basic .NET 2002. The setup program installs the two sets of sample code to directories named VB.NET 2002 and VB.NET 2003, with subdirectories organized by chapter number, having names such as CH01_Encryption, underneath these directories. Within the text, we refer you to the appropriate sample by directory name, such as CH01_Encryption, as needed. If you like to perform the steps as presented in the step-by-step exercises, start with the sample application located in the Start directory; or if you’d prefer to view the completed code, open the application located in the Finish directory. The system requirements for running the sample code files are the same as the requirements for Visual Basic .NET itself—ensure your computer has Visual Basic .NET 2002 or Visual Basic .NET 2003. Nothing extra is required. In addition, to run the Web samples, you’ll also need Microsoft Internet Explorer 5.5 or later and Internet Information Services (IIS) 5.0 or later. Although some exercises in this book refer to Microsoft Access or Microsoft SQL Server, these particular exercises are completely optional—the code in the sample files has been designed to run perfectly even if you haven’t installed these products.

Create a Desktop Shortcut for Running Tools

Several samples throughout the book ask you to launch administrative tools or .NET Framework tools from the Visual Studio .NET Command Prompt. For the sake of convenience, you should consider adding a link to the Visual Studio .NET command prompt to your desktop. The following steps show you how to add a Visual Studio .NET command-prompt link to your desktop:

You should now have a convenient link to the Visual Studio .NET Command Prompt on your desktop.

A Final Word

For many programmers, security has been something to avoid—because they don’t understand security concepts, they shy away from implementing security features for fear of making a mistake. Above all else, we hope this book will spark your interest in security. This is a fascinating and rapidly evolving area of computing, and the techniques we discuss in this book are no longer simply for security specialists; they are essential for every programmer.

Corrections, Comments, and Help

Every effort has been made to ensure the accuracy of this book and the sample files. If you run into a problem, Microsoft Press provides corrections for its books through the World Wide Web at the following Web site: http://www.microsoft.com/mspress/support/.

If you have problems, comments, or ideas regarding this book, please send them to Microsoft Press. You can contact Microsoft Press by sending e-mail to: mspinput@microsoft.com. Or you can send postal mail to

     Microsoft Press
     Attn: Security for Microsoft Visual Basic .NET Editor
     One Microsoft Way
     Redmond, WA 98052-6399

Please note that support for the Visual Basic .NET software product itself is not offered through the preceding addresses.

Acknowledgments

The authors wish to thank the following people: Our first and most influential reader, Mike “Shhh... don’t mention big brother systems” Pope; technical advisors, Erik “security god” Olson, David “Mr. Policy” Guyer, Dave “Mr. Deployment” Templin, Mike Neuburger, Michael Kogotkov, Ashvin Naik, John Hart and Adam Braden; our Microsoft Press support team, Denise “We can’t print that!” Bankaitis, Sally Stickney, Danielle Voeller, Roger LeBlanc, Chris “Brains” Wille; our boss, Rick “It’s a book about baseball? Sure I’ll approve it” Nasci; and our families, without whom none of this would be possible, Jane Bond, Sarah and Katie Bond, and Catherine Robinson and Stella Robinson.