- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
Learn the techniques that every developer who works with Visual Basic .NET should know about designing, developing, and developing security-enhanced applications for Microsoft Windows and the Web. Visual Basic .NET experts Ed Robinson and Mike Bond introduce critical security concepts using straightforward language and step-by-step examples. You get clear, end-to-end guidance-covering application design, coding techniques, testing methods, and deployment strategies, along with direction on how to help secure the operating system and related infrastructure and services. Discover how to: Design a security-enhanced architecture Understand the most common vulnerabilities and how to write code to prevent them Implement authentication and authorization techniques in your applications Learn techniques for encryption, input validation, and exception handling Add Windows, Forms, and Passport authentication to Web applications Perform a security threat analysis and implement countermeasures Think like a hacker-and uncover security holes Create a setup for your application that implements security during installation Lock down the Windows operating system, Microsoft IIS, Microsoft SQL Server, and Microsoft Access databases
Contents
Introduction xiii PART I DEVELOPMENT TECHNIQUES 1 Encryption 3 Practice Files 5 Hash Digests 6 Private Key Encryption 11 Keeping Private Keys Safe 17 Public Key Encryption 19 Hiding Unnecessary Information 22 Encryption in the Real World 24 Summary 25 2 Role-Based Authorization 27 Role-Based Authorization Exercise 31 Windows Integrated Security 34 ASP.NET Authentication and Authorization 38 Role-Based Authorization in the Real World 41 Summary 42 3 Code-Access Security 45 How Actions Are Considered Safe or Unsafe 46 What Prevents Harmful Code from Executing? 47 It s On By Default 47 Security Features and the Visual Basic .NET Developer 48 Code-Access Security vs. Application Role-Based Security 49 Code-Access Security Preempts Application Role-Based Security 49 Run Your Code in Different Security Zones 51 What Code-Access Security Is Meant to Protect 55 Permissions The Basis of What Your Code Can Do 55 Ensuring That Your Code Will Run Safely 66 Cooperating with the Security System 68 Code-Access Security in the Real World 72 Summary 73 4 ASP.NET Authentication 75 EmployeeManagementWeb Practice Files 77 Forms Authentication 77 Windows Integrated Security Authentication 84 Passport Authentication 88 Install the Passport SDK 90 ASP.NET Authentication in the Real World 98 Summary 98 5 Securing Web Applications 99 Secure Sockets Layer 102 How SSL Works 103 Securing Web Services 107 Implementing an Audit Trail 113 Securing Web Applications in the Real World 116 Summary 116 PART II ENSURING HACK-RESISTANT CODE 6 Application Attacks and How to Avoid Them 121 Denial of Service Attacks 122 Defensive Techniques for DoS Attacks 123 File-Based or Directory-Based Attacks 127 Defensive Technique for File-Based or Directory-Based Attacks 128 SQL-Injection Attacks 132 Defensive Techniques for SQL-Injection Attacks 135 Cross-Site Scripting Attacks 141 When HTML Script Injection Becomes a Problem 145 Defensive Techniques for Cross-Site Scripting Attacks 148 Child-Application Attacks 151 Defensive Technique for Child-Application Attacks 153 Guarding Against Attacks in the Real World 155 Summary 156 7 Validating Input 157 Working with Input Types and Validation Tools 158 Direct User Input 158 General Language Validation Tools 165 Web Application Input 172 Nonuser Input 174 Input to Subroutines 177 Summary 181 8 Handling Exceptions 183 Where Exceptions Occur 184 Exception Handling 186 Global Exception Handlers 192 Exception Handling in the Real World 195 Summary 196 9 Testing for Attack-Resistant Code 197 Plan of Attack The Test Plan 198 Brainstorm Generate Security-Related Scenarios 200 Get Focused Prioritize Scenarios 204 Generate Tests 206 Attack Execute the Plan 208 Testing Approaches 208 Testing Tools 213 Test in the Target Environment 217 Make Testing for Security a Priority 218 Common Testing Mistakes 218 Testing Too Little, Too Late 218 Failing to Test and Retest for Security 219 Failing to Factor In the Cost of Testing 220 Relying Too Much on Beta Feedback 220 Assuming Third-Party Components Are Safe 220 Testing in the Real World 221 Summary 222 PART III DEPLOYMENT AND CONFIGURATION 10 Securing Your Application for Deployment 225 Deployment Techniques 226 XCopy Deployment 226 No-Touch Deployment 227 Windows Installer Deployment 227 Cabinet-File Deployment 228 Code-Access Security and Deployment 230 Deploy and Run Your Application in the .NET Security Sandbox 231 Certificates and Signing 232 Digital Certificates 232 Authenticode Signing 235 Strong-Name Signing 238 Authenticode Signing vs. Strong Naming 242 Strong Naming, Certificates, and Signing Exercise 243 Deploying .NET Security Policy Updates 254 Update .NET Enterprise Security Policy 254 Deploy .NET Enterprise Security Policy Updates 259 Protecting Your Code Obfuscation 264 Obscurity Security 265 Deployment Checklist 266 Deployment in the Real World 267 Summary 268 11 Locking Down Windows, Internet Information Services, and .NET 269 "I m Already Protected. I m Using a Firewall." 270 Fundamental Lockdown Principles 271 Automated Tools 273 Locking Down Windows Clients 275 Format Disk Drives Using NTFS 275 Disable Auto Logon 275 Enable Auditing 276 Turn Off Unnecessary Services 276 Turn Off Unnecessary Sharing 276 Use Screen-Saver Passwords 277 Remove File-Sharing Software 277 Implement BIOS Password Protection 277 Disable Boot from Floppy Drive 278 Locking Down Windows Servers 278 Isolate Domain Controller 278 Disable and Delete Unnecessary Accounts 278 Install a Firewall 279 Locking Down IIS 279 Disable Unnecessary Internet Services 279 Disable Unnecessary Script Maps 279 Remove Samples 280 Enable IIS Logging 280 Restrict IUSR_ 280 Install URLScan 280 Locking Down .NET 280 Summary 281 12 Securing Databases 283 Core Database Security Concepts 284 SQL Server Authentication 284 Determining Who Is Logged On 288 How SQL Server Assigns Privileges 289 SQL Server Authorization 291 Microsoft Access Authentication and Authorization 291 Microsoft Access User-Level Security Models 292 Locking Down Microsoft Access 297 Locking Down SQL Server 298 Summary 300 PART IV ENTERPRISE-LEVEL SECURITY 13 Ten Steps to Designing a Secure Enterprise System 303 Design Challenges 304 Step 1: Believe You Will Be Attacked 305 Step 2: Design and Implement Security at the Beginning 306 Step 3: Educate the Team 307 Step 4: Design a Secure Architecture 307 Named-Pipes vs. TCP-IP 310 If You Do Nothing Else 311 Step 5: Threat-Model the Vulnerabilities 311 Step 6: Use Windows Security Features 312 Step 7: Design for Simplicity and Usability 312 Step 8: No Back Doors 314 Step 9: Secure the Network with a Firewall 314 Step 10: Design for Maintenance 316 Summary 317 14 Threats Analyze, Prevent, Detect, and Respond 319 Analyze for Threats and Vulnerabilities 320 Identify and Prioritize 321 Prevent Attacks by Mitigating Threats 326 Mitigating Threats 326 Detection 329 Early Detection 329 Detecting That an Attack Has Taken Place or Is in Progress 330 Respond to an Attack 333 Prepare for a Response 334 Security Threats in the Real World 334 Summary 335 15 Threat Analysis Exercise 337 Analyze for Threats 337 Allocate Time 338 Plan and Document Your Threat Analysis 339 Create a Laundry List of Threats 339 Prioritize Threats 344 Respond to Threats 346 Summary 347 16 Future Trends 349 The Arms Race of Hacking 350 No Operating System Is Safe 352 Cyber-Terrorism 352 What Happens Next? 354 Responding to Security Threats 356 Privacy vs. Security 356 The IPv6 Internet Protocol 359 Government Initiatives 360 Microsoft Initiatives 360 Summary 362 A Guide to the Code Samples 363 B Contents of SecurityLibrary.vb 375 INDEX 379
