惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
Spread Privacy
Spread Privacy
I
InfoQ
V
V2EX
S
Schneier on Security
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
L
Lohrmann on Cybersecurity
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Attack and Defense Labs
Attack and Defense Labs
云风的 BLOG
云风的 BLOG
The Hacker News
The Hacker News
S
SegmentFault 最新的问题
C
Cybersecurity and Infrastructure Security Agency CISA
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
GbyAI
GbyAI
Latest news
Latest news
S
Secure Thoughts
Project Zero
Project Zero
MongoDB | Blog
MongoDB | Blog
I
Intezer
Security Latest
Security Latest
Apple Machine Learning Research
Apple Machine Learning Research
Vercel News
Vercel News
N
Netflix TechBlog - Medium
V2EX - 技术
V2EX - 技术
量子位
T
Threatpost
T
The Blog of Author Tim Ferriss
Y
Y Combinator Blog
T
Tor Project blog
A
Arctic Wolf
Microsoft Security Blog
Microsoft Security Blog
T
The Exploit Database - CXSecurity.com
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Check Point Blog
博客园 - Franky
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
The GitHub Blog
The GitHub Blog
L
LINUX DO - 热门话题

博客园 - 风语者

一些杂项资料 今天遇到的一个奇怪的vb.net问题 asp.net页面请求实现过程 中国人的成功十要 《.net组件开发第2版》下载 IE7.0(beta)可以下载了 Google Talk中的小秘密 - 风语者 - 博客园 今天的microsoft,明天的google C# 代码标准 .NET2.0版(六)Remoting 编码指导方针 C# 代码标准 .NET2.0版(五)序列化Serialization 编码指导方针 C# 代码标准 .NET2.0版(四)多线程编码指导方针 C# 代码标准 .NET2.0版(三)项目设置和结构 C# 代码标准 .NET2.0版(二)编码惯例和约定 C# 代码标准 .NET2.0版(一)命名和风格 一些很少用到但还不错的Html功能 - 风语者 - 博客园 常见程序进程(转载) Google提供的好工具 关于Response.ContentType 合并数据记录的问题
C# 代码标准 .NET2.0版(七)Security 编码指导方针
风语者 · 2005-08-22 · via 博客园 - 风语者

1.Always demand your own strong name on assemblies and components that are private to the application, but are public (so that only you can use them):

public class PublicKeys
{
   public const string MyCompany = "1234567894800000940000000602000000240000"+
                                   "52534131000400000100010007D1FA57C4AED9F0"+
                                   "A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C83"+
                                   "4C99921EB23BE79AD9D5DCC1DD9AD23613210290"+
                                   "0B723CF980957FC4E177108FC607774F29E8320E"+
                                   "92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99"+
                                   "285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF"+
                                   "0FC4963D261C8A12436518206DC093344D5AD293";
}

[StrongNameIdentityPermission(SecurityAction.LinkDemand,
                              PublicKey = PublicKeys.MyCompany)]
public class MyClass
{...}

2.Apply encryption and security protection on application configuration files.

3.When importing an interop method, assert unmanaged code permission and demand appropriate permission instead:

[DllImport("user32",EntryPoint="MessageBoxA")]
private static extern int Show(IntPtr handle,string text,string caption,
                                                                     int msgType);
[SecurityPermission(SecurityAction.Assert,UnmanagedCode = true)]
[UIPermission(SecurityAction.Demand,
                                  Window = UIPermissionWindow.SafeTopLevelWindows)]
public static void Show(string text,string caption)

   Show(IntPtr.Zero,text,caption,0);
}

4.Do not suppress unmanaged code access via the SuppressUnmanagedCodeSecurity attribute.

5.Do not use the /unsafe switch of TlbImp.exe. Wrap the RCW in managed code so that you can assert and demand permissions declaratively on the wrapper.

6.On server machines, deploy a code access security policy that grants only Microsoft, ECMA, and self (identified by a strong name) full trust. Code originating from anywhere else is implicitly granted nothing.

7.On client machines, deploy a security policy that grants client application only the permissions to execute, to call back the server, and to potentially display user interface. When not using ClickOnce, client application should be identified by a strong name in the code groups.

8.To counter a luring attack, always refuse at the assembly level all permissions not required to perform the task at hand:

[assembly:UIPermission(SecurityAction.RequestRefuse,
                       Window=UIPermissionWindow.AllWindows)]

9.Always set the principal policy in every Main( ) method to Windows:

public class MyClass
{
   static void Main( )
   {
      AppDomain currentDomain = AppDomain.CurrentDomain;
      currentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
   }
   //other methods
}

10.Never assert a permission without demanding a different permission in its place.