Up DevForce development

Secure

Last modified on August 15, 2012 17:20

Every application, whether a 2-tier or n-tier desktop application used only within an organization or an ASP.NET or Silverlight application accessible across the internet, must consider its threat exposure.  

Consider the following:

  • Any client-side code, including Silverlight applications, can be easily disassembled (e.g., using Reflector or Silverlight Spy)
  • All messages to and from a server can be easily intercepted and monitored (e.g., using Fiddler)

If we assume that both the client and the transport are exposed and can be compromised, then we need to consider the risks to the application, its users, and the organization.  Does your application contain sensitive information which should be restricted to certain users?  Does it contain personal information such as an individual's health record or financial data?  Are only paid users allowed access?  If guest users are permitted, what data and operations can they access?

Silverlight applications have additional challenges.  Because it’s often used to create public-facing applications, Silverlight is inherently more dangerous than in-house applications that run behind a firewall or over a VPN.  Will your Silverlight application run out-of-the-browser?  Will it use Isolated Storage?  Will it access services on other domains? 

As a developer you must ask all these questions, and many more, as you build and secure your application.  In the following sections we'll look at how DevForce can help in authenticating and authorizing users, and other actions you can take to build a secure application.

In the following topics we'll discuss various aspects of securing your application:

  • Authentication - the process of validating a user's identity
  • Authorization - how to ensure the user accesses only the information allowed
  • Additional steps - additional steps you can take in locking down your application

Additional Resources

Since we can't cover every aspect of security here, we encourage you to learn more about this topic.  Here are a few links to get started:

  • Silverlight Security MSDN article
  • Ward Bell's DevConnections 2010 slides on Silverlight security
  • See just how easy it is to eavesdrop on HTTPS traffic with Fiddler
Tags: Security
Created by DevForce on February 08, 2011 12:08

This wiki is licensed under a Creative Commons 2.0 license. XWiki Enterprise 3.2 - Documentation. Copyright © 2015 IdeaBlade