Secure application development should be a priority for all developers – but with so many different technologies, languages and frameworks in use, it can be a challenge for developers to prioritise effective security.
In addition to the basic tenets of secure application development, developers need to understand which aspects of their chosen speciality differ from other development frameworks. .NET is one of the more common specialities, but relatively few developers are aware of the framework’s security best practices.
As with all types of specialised development, there are a handful of security issues and development tools which are unique to Microsoft’s .NET system. To train secure .NET developers, it’s essential for your organisation to implement training that covers these three crucial areas.
1) Managed vs. Unmanaged Code
.NET supports two types of coding, and allows developers to create both managed and unmanaged code:
Managed Code
Code developed within the .NET framework is known as managed code, and is executed by Microsoft’s Common Language Runtime (CLR). CLR offers a way to ‘look after’ managed code, by managing memory, offering run-time and reference checking and, as we’ll see, handling aspects of its security.
Unmanaged Code
Code developed outside of the .NET framework is not executed by CLR, and is known as unmanaged code.
As Visual C++ allows for the creation of both managed and unmanaged code, it’s possible to combine both types of code within a single application. This has important consequences for .NET development, as the combination of managed and unmanaged code can bring with it a unique set of security issues. Secure .NET developers need to understand the best practices of writing both managed and unmanaged code, as well as the implications of combining both within a single project.
2) Code Access Security
Code Access Security (CAS) is effectively the CLRs own in-built security system. CLR ensures that code can only perform actions if it has suitable permissions to do so. CAS enforces this by preventing unauthorised access to protected resources and operations.
Understanding CAS is a crucial part of secure .NET development, with the system enabling developers to perform dozens of crucial security tasks. CAS makes it possible for developers to:
- Define the permissions required to access system resources.
- Create code groups to associate code with different permissions.
- Enable code to request the permissions it needs to run (and specify which permissions it should never have.)
- Grant permissions according to code request and permitted security policy.
- Enforce runtime restrictions.
3) .NET Cryptography
The .NET framework supports one-way hashing, and a range of symmetric and asymmetric encryption algorithms. .NET developers can also take advantage of Microsoft’s CryptoStream, which works on top of an existing Stream class to automatically encrypt its contents. With protection of sensitive user data a growing-priority for all application developers, being able to effectively use the framework’s supported algorithms is an essential part of secure .NET development.
With all forms of data encryption, there’s also a trade-off at play. The more sophisticated the encryption algorithm you choose to use, the more secure your data will be – but the more likely it is to suffer some form of performance degradation as a result. It’s essential for .NET developers to have a thorough understanding of the framework’s most common encryption and hashing methods – as well as the ability to choose algorithms proportionate to the sensitivity of the data protected.
