.NET Framework 1.1 Security Guidelines
From Guidance Share
- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Contents |
[edit]
Assembly Design Considerations
- Identify privileged code
- Identify the trust level of your target environment
- Sandbox highly privileged code
- Design your public interface
[edit]
Class Design Considerations
- Restrict class and member visibility
- Seal non base classes
- Restrict which users can call your code
- Expose fields using properties
[edit]
Cryptography
- Use platform-provided cryptographic services
- Generate random keys
- Use PasswordDeriveBytes for password-based encryption
- Prefer large keys
- Use DPAPI to avoid key management
- Do not store keys in code
- Restrict access to persisted keys
- Cycle keys periodically
- Key Compromise
[edit]
Delegates
[edit]
Exception Management
- Use structured exception handling
- Do not log sensitive data
- Do not reveal system or sensitive application information
- Consider exception filter issues
- Consider an exception management framework
[edit]
File I/O
- Avoid untrusted input for file names
- Do not trust environment variables
- Validate input filenames
- Constrain file I/O within your application's context
[edit]
Obfuscation
[edit]
Reflection
[edit]
Registry
[edit]
Serialization
[edit]
Strong Names
[edit]
Threading
- Do not cache the results of security checks
- Consider impersonation tokens
- Synchronize static class constructors
- Synchronize Dispose methods
[edit]