Practice and Theory of Security Reviews

Click here if you want’ to skip all the theory and just go to the Security Reviews Heuristics Zoo If you are a software security professional, you might’ve been asked sometimes to conduct a “security design review”. If you felt lost at that point, this article may help you. Here I tried to summarize my…

2

More on 2.0 changes: Delegates Security

================================= The text below is provided “AS IS”, without any responsibilities attached to it. It represents author’s personal opinion and knowledge, and does not necessarily reflect recommended best practices of Microsoft. Author does not assume any responsibility caused by the use of the following information. ================================= If you create a Delegate around a function protected…

0

FullTrust means Full Trust

The text below is provided “AS IS”, without any responsibilities attached to it. It represents author’s personal opinion and knowledge, and does not necessarily reflect recommended best practices of Microsoft. Author does not assume any responsibility caused by the use of the following information. ================================= Well, here is another post after a long, long break. This…

5

Some tips on testing managed code Security.

<Disclaimer> The text below represents author’s personal opinion and does not necessarily reflect Microsoft recommended best practices. Author does not assume any responsibility caused by the use of the following information. </Disclaimer> Some quick tips on testing managed code Security. So now you are developing or testing some managed application. You’ve heard lots about .NET…

4

Sample of non-CAS custom permission with declarative form supported.

Why? Recently, I started seeing numerous requests regarding creation of custom permissions that do not inherit from CodeAccessPermission and thus do not perform stackwalk. There is nothing special about implementing such classes. In fact, it is easier then with CodeAccessPermission as a base. However, having a sample handy, I just decided to share it here…

9

How to Demand several StrongNameIdentityPermissions “at the same time” in 1.0 and 1.1.

Problem Statement: Code Access Security provides developers with numerous ways of protecting their methods from unauthorized or untrusted callers, including usage of caller’s StrongName signature to identify it. So if one would like to make sure that all the callers of some method are signed with particular key [what is almost equivalent to being shipped…

5