Microsoft Dot Net

ASAP Medical Systems Medical Resellers Medical Software HIPAA Microsoft Dot Net Company


Dot Net Security Overview:

This paper presents an overview of the security architecture of Microsoft's .NET Framework. This paper is based on a long-term, independent security analysis performed by Foundstone, Inc. and CORE Security Technologies, beginning in the summer of 2000.

Our analysis revealed that, used properly, the .NET Framework gives developers and administrators granular security control over their applications and resources; provides developers with an easy-to-use toolset to implement powerful authentication, authorization, and cryptographic routines; eliminates many of the major security risks facing applications today due to flawed code (such as buffer overflows); and shifts the burden from having to make critical security decisions—such as whether or not to run a particular application or what resources that application should be able to access—from end users to developers and administrators.

In the course of this document, we will explain how the .NET Framework's evidence- and role-based security features, code access security, verification process, cryptography support, isolated storage, and application domains work together to achieve these outcomes, providing a robust platform for developing and running all types of software applications, both client- and server-side. We conclude that the .NET Framework can provide organizations with greater assurance that their applications can resist known security attacks today and in the future.

Introduction

From the early stages of the development of the .NET Framework, Foundstone, Inc. and CORE Security Technologies have assisted Microsoft Corp. with analyzing and assessing the security of its architecture and implementation.

Our analysis of the .NET Framework began in the summer of 2000, before the first beta release of the software and continued up through Beta 2. The entire engagement encompassed over 2,800 hours of rigorous, independent security auditing and testing by a team of ten experts, during which we had full access to the source code and Microsoft engineers and became intimately familiar with the security architecture of the .NET Framework, from design principles to code-level implementation.

The audit followed standard methodologies developed by Foundstone, Inc. and CORE Security Technologies over many years of experience testing, assessing, and securing complex software applications for organizations ranging from members of the Fortune 500 to newly-minted startups. We like to say that we have seen "the good, the bad, and the ugly" from our perch as security solution providers, and the .NET Framework bore the brunt of our collective knowledge during our year of exposure to its inner workings.

This white paper focuses on the broad security features of the .NET Framework. It is based largely on the results of the assessment we performed over the last year and our continued interaction with the .NET Framework development team. The thoughts and opinions expressed herein are solely our own independent observations based on rigorous analysis and testing of many builds of the software. It is our hope that this document will promote understanding of security in the .NET Framework, and convey our confidence in that architecture and its implementation.

Scope & Objectives

In this document, we will review many of the common security challenges enterprises face during the design and development of software solutions, and outline how the .NET Framework provides a reasonable solution to these issues through its security architecture.

At all times, we will seek to make the complexities of .NET Framework security approachable to readers with at least a moderate technical background. We assume at least a basic familiarity with the .NET Framework, and do not spend inordinate time with background information on the basic technology involved. We provide many references for further reading at the end of this document for those seeking more deeply technical coverage of the .NET Framework.

Background: The Problem of Application Security

Practically no one today questions that many software applications are mission-critical, especially those that are built using Internet-based technologies. They have evolved from simple, static, data-manipulation channels into complex, dynamic, transaction-oriented pillars of corporate commerce.

The ever-increasing complexity and functionality of modern software applications has driven an unfortunate and alarming counter-trend, however: a growing number of organizations have fallen victim to assaults against their software from internal and external interlopers.

A Solution: An Architecture for Managing Software Risk

The managed code architecture of the .NET Framework provides a compelling solution to the problem of software application security. It transparently controls the behavior of code even in the most adverse circumstances, so that the risks inherent in all types of applications—client- and server-side—are greatly reduced. In fact, used appropriately, we believe that it is one of the best platforms for developing enterprise and Web applications with strict security requirements.

At a high-level, the .NET Framework gives developers and administrators granular security control over their applications and resources; provides developers with an easy-to-use toolset to implement powerful authentication, authorization, and cryptographic routines; eliminates many of the major security risks facing applications today due to flawed code (such as buffer overflows); and shifts the burden from having to make critical security decisions—such as whether or not to run a particular application or what resources that application should be able to access—from end users to developers and administrators.