Slashdot Mirror
Developing Securely In Windows
FrazzledDad writes "No, really. Please pick yourself up off the floor and stop laughing. Yes, there are good books on developing Windows software in a secure fashion. Keith Brown's The .NET Developer's Guide to Windows Security is right alongside Howard and LeBlanc's Writing Secure Code as examples of good Windows security works. Brown's book should be on any .NET Developer's bookshelf and will be of use to developers who work in other development platforms on Windows." Read on for the rest of the review.
The .NET Developer's Guide to Windows Security
author
Keith Brown
pages
408
publisher
Addison-Wesley
rating
9
reviewer
Jim Holmes
ISBN
0321228359
summary
Terrific coverage of how to go about securely developing .NET software
I know the entire topic of Windows security may kick off a "slightly" enthusiastic debate among Slashdotters. I'd really prefer not to get wrapped up in a fray, so let me just say that a professional software developer needs to well understand the security issues in the environment and platform they're working on. This book's an important aid in that understanding. Great Fundamentals
Brown's book is broken into six parts, ranging from "The Big Picture", an overview of security on Windows, to "Access Control" and a wrap-up "Miscellaneous." Each part is made up of numerous "items," one topic which Brown elaborates on.
Brown covers a lot of very basic, important fundamentals such as "What is Authentication?", "What is a Luring Attack?", and "What is Kerberos?" He gives concise, clear overviews of each topic, then gets into the weeds where necessary.
For example, one of Brown's first emphatic points is that development on Windows platform shouldn't be done using an account with Administrator privileges. He covers the "why" in several early items, then spends 11 pages in Item 9 showing the approaches, tools, and issues involved in developing under a non-Admin account. This particular item needs to be stapled to far too many developers' foreheads because they don't understand, or care about, the ramifications of development as an Admin. Great Details
Brown also goes into great detail on many Items. His discussion of IPSEC is a good example. He spends Item 68 on the fundamentals of IPSEC such as key exchange and authentication, then goes on in Item 69 to discuss the details of implementing IPSEC via policies in a domain. He covers client and server configurations, then gives rationale for selecting various options. He also talks about why it's not the best solution, or even a complete solution, but does point out where IPSEC makes sense.
COM programming gets an entire section/part to itself, and Brown does a great job explaining the complex issues surrounding securing COM(+) communication. He discusses Authentication, Impersonation, and what calls you need to make in your Main method to properly invoke various COM security aspects.
Threat Modeling gets its own Item, but isn't covered in great depth. Brown lays out Microsoft's STRIDE system (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) as a guideline for threat modeling. He also talks a bit about attack trees. Neither topic gets substantial treatment; however, Brown makes it clear he's only introducing these topics and points readers to several other resources such as Swiderski and Snyder's Threat Modeling. Great List of Cons and Problems
Part of good software engineering is understanding the ramifications of choices you make. Brown's very good about laying out the "Why" for his items, plus he's also clear where hard choices have to be made.
For example, in his discussion of IPSEC he asks "Where is IPSEC useful? When you don't have any better alternatives." He goes on to show how IPSEC can be used to help COM servers talk securely, or in .NET Remoting under the 1.1 Framework which stupidly doesn't provide secure communication channels.
Another example might be the erasability of a secret under .NET. Managed environments such as .NET and Java don't make it easy to ensure secrets (passwords, keys, etc.) can be erased out of the managed memory heap or at least overwritten immediately after their purpose is fulfilled. Not only can the object's memory be left unerased, but what about controlling whether it's written out to a swapfile? Brown points out these sorts of issues and tries to point out how to deal with them. What the Book Doesn't Cover
Brown's book isn't so much about specific coding techniques, although there are a fair number of those within. You won't find specifics on .NET's code access security, or issues around cross-site scripting. You'll need to look to Howard and LeBlanc's Writing Secure Code for code specifics.
Rather, the book is more about approaches to secure development on Windows. Brown's book also isn't about security and threat analysis, but again, he's forthright about that and points readers to other sources.
Bill Wagner, author of Effective C#, points out on his blog that Brown's book would be more usable if "titles [were] organized around the tasks I need to perform." I think that's a good criticism - a cookbook format would be a great improvement for a second edition. Summary
The book's very well written with a good index and a terrific Bibliography which serves as a great reading list for furthering one's knowledge of security on the Windows platform.
I've found the book very educational and useful. It's an important addition to my bookshelf and has already helped me with a couple of important topics. I think any professional, contentious developer working in the Windows environment would find this a vital addition to their bookshelf as well."
You can purchase The .NET Developer's Guide to Windows Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I know the entire topic of Windows security may kick off a "slightly" enthusiastic debate among Slashdotters. I'd really prefer not to get wrapped up in a fray, so let me just say that a professional software developer needs to well understand the security issues in the environment and platform they're working on. This book's an important aid in that understanding. Great Fundamentals
Brown's book is broken into six parts, ranging from "The Big Picture", an overview of security on Windows, to "Access Control" and a wrap-up "Miscellaneous." Each part is made up of numerous "items," one topic which Brown elaborates on.
Brown covers a lot of very basic, important fundamentals such as "What is Authentication?", "What is a Luring Attack?", and "What is Kerberos?" He gives concise, clear overviews of each topic, then gets into the weeds where necessary.
For example, one of Brown's first emphatic points is that development on Windows platform shouldn't be done using an account with Administrator privileges. He covers the "why" in several early items, then spends 11 pages in Item 9 showing the approaches, tools, and issues involved in developing under a non-Admin account. This particular item needs to be stapled to far too many developers' foreheads because they don't understand, or care about, the ramifications of development as an Admin. Great Details
Brown also goes into great detail on many Items. His discussion of IPSEC is a good example. He spends Item 68 on the fundamentals of IPSEC such as key exchange and authentication, then goes on in Item 69 to discuss the details of implementing IPSEC via policies in a domain. He covers client and server configurations, then gives rationale for selecting various options. He also talks about why it's not the best solution, or even a complete solution, but does point out where IPSEC makes sense.
COM programming gets an entire section/part to itself, and Brown does a great job explaining the complex issues surrounding securing COM(+) communication. He discusses Authentication, Impersonation, and what calls you need to make in your Main method to properly invoke various COM security aspects.
Threat Modeling gets its own Item, but isn't covered in great depth. Brown lays out Microsoft's STRIDE system (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) as a guideline for threat modeling. He also talks a bit about attack trees. Neither topic gets substantial treatment; however, Brown makes it clear he's only introducing these topics and points readers to several other resources such as Swiderski and Snyder's Threat Modeling. Great List of Cons and Problems
Part of good software engineering is understanding the ramifications of choices you make. Brown's very good about laying out the "Why" for his items, plus he's also clear where hard choices have to be made.
For example, in his discussion of IPSEC he asks "Where is IPSEC useful? When you don't have any better alternatives." He goes on to show how IPSEC can be used to help COM servers talk securely, or in .NET Remoting under the 1.1 Framework which stupidly doesn't provide secure communication channels.
Another example might be the erasability of a secret under .NET. Managed environments such as .NET and Java don't make it easy to ensure secrets (passwords, keys, etc.) can be erased out of the managed memory heap or at least overwritten immediately after their purpose is fulfilled. Not only can the object's memory be left unerased, but what about controlling whether it's written out to a swapfile? Brown points out these sorts of issues and tries to point out how to deal with them. What the Book Doesn't Cover
Brown's book isn't so much about specific coding techniques, although there are a fair number of those within. You won't find specifics on .NET's code access security, or issues around cross-site scripting. You'll need to look to Howard and LeBlanc's Writing Secure Code for code specifics.
Rather, the book is more about approaches to secure development on Windows. Brown's book also isn't about security and threat analysis, but again, he's forthright about that and points readers to other sources.
Bill Wagner, author of Effective C#, points out on his blog that Brown's book would be more usable if "titles [were] organized around the tasks I need to perform." I think that's a good criticism - a cookbook format would be a great improvement for a second edition. Summary
The book's very well written with a good index and a terrific Bibliography which serves as a great reading list for furthering one's knowledge of security on the Windows platform.
I've found the book very educational and useful. It's an important addition to my bookshelf and has already helped me with a couple of important topics. I think any professional, contentious developer working in the Windows environment would find this a vital addition to their bookshelf as well."
You can purchase The .NET Developer's Guide to Windows Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Do I have to?