Tome Time

SecureASP.NET

LANGUAGES: ALL

ASP.NET VERSIONS: ALL

Tome Time

The Best Security Books for Windows and .NET Development

By Don Kiely

Despite the advances that Microsoft has made over the lastfew years making Windows more secure, developing secure apps is still really,really hard. Even though the development tools now have built-in features thatsupposedly make it easier to write secure apps by default, there are stillplenty of ways to make bad design and implementation decisions that unnecessarilyexpose servers and users to risks. Developers these days can use all the helpthey can get.

I recently asked my fellow Visual Developer - SecurityMVPs to suggest the very best Windows and .NET security books. That led to arather interesting discussion, and I got plenty of good suggestions of thegood, the bad, and the ugly. I took those suggestions and combined them with myown. The result is the following list. I ve listed them from most general tomost targeted, which suggests a good order for reading them to learn aboutcomputer security before drilling down into specific development technologies.

Depending on your particular areas of interest, readingthese books and having them available for reference will go a long ways towardhelping you write secure Windows, .NET, and ASP.NET applications.

Let me know at mailto:[email protected]if I ve missed any good ones!

General Security Topics

Hacking Exposed,Fifth Edition by Stuart McClure, Joel Scambray, and George Kurtz

Osborne, ISBN 0072260815 (http://www.amazon.com/exec/obidos/ASIN/0072260815/general0c-20)

If you don t have a good handle on how attackers devisetheir clever ways to probe and hack into an operating system, Hacking Exposed is a great way to startlearning how a computer hacker thinks. You ll want to read this book at acomputer where you can try things as you read in order to get the most out ofthe book. After a few chapters that discuss strategies for probing a system toidentify it and find its weaknesses, the book explores some of the specifics ofhacking into various operating systems, networks, and software.

Windows Security and Development

Writing Secure Code,2nd Edition by Michael Howard and David LeBlanc

Microsoft Press, ISBN 0735617228 (http://www.amazon.com/exec/obidos/ASIN/0735617228/general0c-20)

It should be illegal to write Windows code for any kind ofapplication without first having read, studied, and digested this book. Thebook was written by the two people most responsible for security initiativesthroughout the company. Writing SecureCode is well-written with a good balance of theory and practicalapplications.

The .NET Developer sGuide to Windows Security by Keith Brown

Addison-Wesley, ISBN 0321228359 (http://www.amazon.com/exec/obidos/ASIN/0321228359/general0c-20)

Despite the .NET in the title, this is really more abook about Windows security than the security features built into .NET. Writtenprior to the release of .NET 2.0, it covers a good range of Windows securitytopics as short, easily digestible essays. The author has a gift of explainingcomplex topics and has filled the book with useful how-tos and various ways ofcoping with Windows security from .NET applications.

Programming WindowsSecurity by Keith Brown

Addison-Wesley, ISBN 0201604426 (http://www.amazon.com/exec/obidos/ASIN/0201604426/general0c-20)

Although this book was written for Windows 2000, and isgetting a bit dated, it is still the best book for learning about thefundamentals of modern Windows security programming. It isn t for the faint ofheart however, both because it is intensively dense at times and most of thesamples are written using C or C++. But even if you don t want to slog throughthe whole thing, it can function as a fine reference for when you bump upagainst a seemingly impossible security issue in Windows. This book goes intomore depth than the author s The .NET Developer sGuide to Windows Security, so if you only want to read one I d suggest the Developer s Guide.

.NET Security

MCAD/MCSD Self-PacedTraining Kit: Implementing Security for Applications with Microsoft VisualBasic .NET and Microsoft Visual C# .NET by Anthony Northrup

Microsoft Press, ISBN 0735621217 (http://www.amazon.com/exec/obidos/ASIN/0735621217/general0c-20)

I usually think of books written to help passcertification exams as poor references for really learning the material, butthis one is a nice reference for .NET security stuff. And it wouldn t hurt tothink about taking the exam!

Professional ASP.NET2.0 Security, Membership, and Role Management byStefan Schackow

Wrox, ISBN 0764596985 (http://www.amazon.com/exec/obidos/ASIN/0764596985/general0c-20)

This is one book that I d be scared to develop real-worldASP.NET apps without. Written by a member of the ASP.NET team at Microsoft, itcovers just about everything you need to know about ASP.NET security, and notjust the cool foundational features listed in the title. It covers a lot ofinteresting and useful ground in its 600 pages.

Programming .NETSecurity by Adam Freeman and Allen Jones

O Reilly, ISBN 0596004427 (http://www.amazon.com/exec/obidos/ASIN/0596004427/general0c-20)

This is one of the best overviews of .NET security. Theonly downside is that it was written for version 1.x of the framework and hasn t,to my knowledge, been updated for .NET 2.0. Nevertheless, it is a greatresource for .NET security.

.NET FrameworkSecurity by Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, RudiMartin, and Kevin T. Price

Addison Wesley, ISBN 067232184X (http://www.amazon.com/exec/obidos/ASIN/067232184X/general0c-20)

This book is a bit inconsistent, but it has some of thebest material around covering code access security. CAS is one of the tougherfeatures of .NET for developers to get, so even though the rest of the book isinconsistent, the CAS stuff makes it worthwhile.

Hacking the Code:ASP.NET Web Application Security by Mark Burnett

Syngress, ISBN 1932266658 (http://www.amazon.com/exec/obidos/ASIN/1932266658/general0c-20)

I haven t read this one yet, but it comes highlyrecommended by some of the MVPs. It s on its way from http://www.Bookpool.com, so I ll write morewhen I receive it.

DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office. He writes regularly for several trade journals,and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.