C# Specific Security Recommendations

http://msdn.microsoft.com/en-us/library/ms173195.aspx

This list is not an exhaustive list of potential security problems. It highlights some common issues for C# developers.

  • Use the checked keyword to control the overflow-checking context for integral-type arithmetic operations and conversions.
  • Always use the most restrictive data type for parameters. For example, when you pass a value to a method that describes the size of a data structure, use unsigned integer rather than integer.
  • Do not make decisions based on file names. File names can be expressed in many different ways, and your test for a particular file may be bypassed.
  • Never, ever hardcode passwords or other sensitive information into your application.
  • Always validate input that is used to generate SQL queries.
  • Validate all inputs into your methods. The regular expression methods in the System.Text.RegularExpressions namespace are useful for confirming that input is of the correct form, such as an e-mail address.
  • Do not display exception information: it provides any would-be attacker with valuable clues.
  • Ensure that your application works while running with the least possible permissions. Few applications require that a user be logged in as an administrator.
  • Do not use your own encryption algorithms. Use the System.Security.Cryptography classes.
  • Give your assemblies strong names.
  • Do not store sensitive information in XML or other configuration files.
  • Check managed code that wraps native code carefully. Confirm that the native code is secure.
  • Use caution when you use delegates passed from outside your application.
  • Run the Visual Studio code analysis tool on your assemblies to ensure compliance with Microsoft .NET Framework Design Guidelines. This tool can also find and warn against over 200 code defects. For more information, see Detecting and Correcting Managed Code Defects.
  • Advertisements

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s