The following articles cover various aspects of application security
and data protection:
- Building Secure ASP.NET Applications
One of the most comprehensive and well-written publications about .NET security.
It includes a lot of helpful information, case-specific recommendations, and code samples.
Even though this document is primarily about ASP.NET,
many topics also apply to other types of applications.
This document is also available in the
- Expert Tips for Finding Security Defects in Your Code
In this MSDN Magazine article, Michael Howard describes best practices,
which can help application developers to track down potential security loopholes.
- Application Code Security
Although, we try to avoid references to PowerPoint presentations,
this one is worth mentioning.
In this presentation, Gabriel Torok covers several security-related issues
including intellectual property protection, obfuscation, security practices, and others.
The presentation should be easy to follow without listening to the speaker.
Storing connection strings and other secrets
- How to Store Secrets on a Machine
Keith Brown discusses challenges and approaches to data protection.
- Employ Strong Encryption in Your Apps with Our CryptoUtility Component
In this article, Michael Stuart and J Sawyer discuss issues and pitfalls related to cryptography and key protection.
It also offers a handy encryption utility.
- Storing Your Secret Data in Windows
An article by Michael Howard describing several techniques,
which can be used to store sensitive information in Windows®.
- Securing SQL Connection String
This paper was written by Dmitry Dessiatnikov and is available from
the GIAC (Global Information Assurance Certification) practical repository
at SANS Institute. The paper summarizes different options, which can be used to protect
SQL connection strings.
- Safeguard Database Connection Strings and Other Sensitive Settings in Your
In this MSDN Magazine article, Alek Davis explains the fundamentals of data
protection and compares a variety of techniques that can be used to protect
sensitive application data. It provides an assessment of such
techniques and technologies as data hiding, Local Security Authority (LSA) API,
and Data Protection API (DPAPI). It also covers such topics as symmetric-key
encryption, hashing, and protection of encryption keys.
- How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
These articles explain how to use the protected configuration providers and
the Aspnet_regiis.exe tool to encrypt sections of configuration files.
- ASP.NET: Connection Strings
An article by Steven Smith,
which discusses different options of storing connection strings used by ASP.NET applications.
- Data Access Security
A very informative chapter from the "Building Secure ASP.NET Applications"
publication mentioned above.
Check the topic "Storing Database Connection Strings Securely";
it includes a very good description of the Data Protection API (DPAPI)
and other data protection technologies.
- CONFIG Files, XCOPY, and Security
This article explains security implications relevant to storing sensitive
settings of applications distributed via XCOPY deployment.
Code obfuscation is a technology, which makes .NET application binaries harder to decompile.
If you want to protect your .NET application from reverse engineering,
you may consider obfuscation. Different aspects of code obfuscation are covered in
the following online articles:
How to Calculate the Size of Encrypted Data?
This article provides the formulas you can use and
explains the issues you need to consider when
estimating the size of encrypted (or hashed) data.
It also gives a brief overview of several basic cryptographic concepts.