This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
Preventing Buffer Overflow
The code first attempts to parse the data and capture it from the user. The line that begins with "catch" detects the buffer overflow exception. The remaining lines will display an error message telling the user why the input has been rejected.
Security Made Easier
Security, until recently, hasn't been a primary concern for developers, who are under pressure to make sure that application features work properly and, most importantly, are delivered on schedule.
The result has been exploitable vulnerabilities, typically due to improper error-checking. For example, attackers can engineer a buffer overflow if the developer allocates "x" amount of memory but doesn't build in checks to ensure that amount isn't exceeded; attackers can enter in "x-plus" of information, overwrite the return pointer and cause their own malicious code to be executed. Or, if attackers can enter, say, more than the eight digits of a requested account number, they can simply append a semicolon and write in an additional statement to execute a SQL injection attack.
While you can write extensive error-checking code to stop this, the code can be complex, time consuming and prone to mistakes.
.NET makes it much easier to integrate error-checking into the program without extra coding by allowing you to set parameters on memory checks. Further, .NET will alert the programmer during code compilation if no parameters have been set (see Figure 2).
Consider another example of how .NET makes it easy for developers to build secure code from the start: Since HTTP is stateless, e-commerce applications require developers to add session IDs and mechanisms to track state. This creates extra work for the developer and a possible avenue for errors to be introduced.
With .NET, adding an attribute, "trace=true," at the page level will automatically track request details: trace information, control tree, session state, cookie collection, header collection and server variables.
There is, of course, much more to .NET security. Among its other strengths are built-in features to implement cryptography for both data at rest and data in transit.
But, while .NET provides the framework for strong and deep security on the Web, corporate polices and practices--not robust tools--are the keys to bulletproofing Web apps. If you make embedded security policies and testing parts of your development work flow, .NET will reward your efforts.
This was first published in May 2006