I've heard that .NET is not very secure. Should I be concerned?
I'm tempted to stick my neck out for Microsoft and proclaim that .NET is totally secure. But you and I (and Microsoft) know that this is unrealistic. Despite Larry Ellison's claims that Oracle is 100%, without a doubt secure, no software is completely immune to some form of attack. A great book that provides an overview of the various and sundry forms that malicious attacks can take is "Secrets and Lies: Digital Security in a Networked World" by Bruce Schneier.
So, first of all, it depends on what you mean by "secure". Do the security mechanisms inside .NET allow developers to write applications that ensure the authenticity of code that it comes from a trusted source? Absolutely. Are there authorization and authentication mechanisms baked into .NET? Sure are. Does it force developers to lazily ignore these mechanisms and write un-secure applications? You bet. Microsoft is going to begin a campaign in 2002 that will be targeted at teaching developers how to take advantage of the new security features in .NET. On January 16th, Bill Gates sent a letter to each of Microsoft's 47,000 employees outlining a new company wide strategy called "Trustworthy Computing". To quote the memo: "If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing..." So it sounds like Microsoft got the Security Religion. Stay tuned ...
By the way, it is interesting to note that a report of a virus called W32/Donut popped up January 9th. Plenty of Microsoft-bashed Microsoft, including industry pundits and "experts". Then, it was discovered that this is not a virus that is a result of .NET, but rather is an existing flaw in Windows security that happens to infect .NET files. Tony Goodhew, product manager for the .NET Framework said the following on January 10th: "This is not a .NET virus. It's a Windows virus that infects .NET files ...It's not running in the .NET Framework as managed code. It's not finding some hole in the security model and exploiting it."
Should you be concerned? When it comes to security, I think all developers and organizations should have a high degree of concern about security. Should you be OVERLY concerned to the point where you don't benefit from all that .NET offers? Absolutely not. Just educate yourself on how to implement the security features that best apply to your organization.
Dig Deeper on Topics Archive
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.