.NET Framework Security

If you really want to know all there is to know about code access security, this is the book for you.

This is *not* for beginners.

Rating:
Summary: Good material on CAS, TERRIBLE material on ASP.NET Security
Review: Four of the authors do a reasonably good job explaining the whole concept of CAS. At times, they seem to be repeating themselves, but the result is that you cannot walk away without understanding what they wanted you to understand because of this repetition.

The downside of this book is the material by Kevin T. Price. They delegated the ASP.NET/Web security to him. Much of his work is a cut and paste of the SDK docs. For his examples, he uses the grid layout of ASP.NET, which makes the declarative code completely unreadable. He leaves in all of the code generated by Visual Studio.NET, despite its irrelevance. He spends a great deal of time discussing IIS configuration, which you might argue is not relevant to the subject matter at hand (this should be a very specialized book, and it is everywhere else). He refers us to a code download on the Sam's website - unfortunately, Sam's is not the publisher of this book. He puts in some sample JSP code for no apparent reason, apparently to teach us about diversity in the web environment. When you buy a book on .NET Framework Security, it is probably because you are interested in .NET, and not because you are interested in the web development ecosystem. Finally, his grand finale chapter is on writing a secure web application. All he manages to achieve here is to create a forms auth login page. Even more troubling is the fact that this sample - in a book on *security* - has a glaring SQL Injection Vulnerability. The one thing he creates is completely and disturbingly wrong.

Web developers who buy this book to write more secure applications are likely to end up writing even worse applications by implementing his ideas.

Read this book if you want to learn about CAS. Do not stop at this book if you actually need to write secure web applications - in fact, don't even start here. You're better off sticking with the PAG materials.

Rating:
Summary: This is the book you're looking for.
Review: It's probably not going to make your in-laws love you, but it is the right book for .Net. Like all things digital, .Net programming has already resulted in a number of books, mostly of shoddy quality. This book, however, written by the folks who ought to know (Sebastian Lange and company), is the best place to start, and until they update it, the best place to stay.

But it won't make your in-laws love you.

Rating:
Summary: The definite security reference for .NET applications
Review: Make no mistake,as you will get your hands wet programming Micrsosoft's "managed code" (C#, VB or ASP.NET apps), you will eventually encounter the all pervasive and extensive security system that is integrated in .Net.
This book is the definite security reference and guide to the new programming platform that Micrsosoft has shipped - and the only book of its kind on the market as far as I can see. It has been written by the people who have designed and implemented the security features and infrastructure in the .NET Framework that ASP.NET, C#, VB or Managed C++ applications run on.
Its stuffed with sample code and hands-on tips, and comes with extensive sections geared specifically towards developers and admins. Chapters are well contained and you get the kind of insider information only the people who have actually build and designed the system would be able to give you.
800 plus pages of security information for the Amazon price is quite a good bang for the buck,so I highly recommend this book as I think it will be a good learning aid in trying to understand .NEt security and remain valuable as a reference work afterwards.

Rating:
Summary: A dictionary of .Net security terms
Review: The book is organized like a dictionary of .Net security terms. It failed to convey the cohesiveness of the security modules. The code fragments are littered like pieces of puzzle that the authors are expected to thread together, but did not.

I didn't find the class API listing useful without implementation context to associate their usage to. Furthermore, the book lacked good editing. It's frustrating to read dangled sentence fragments interwined with code fragments.

The book does not worth its weight. Waste your hard earned money on this book if you believe in you have a telepathy connection to the authors.

Rating:
Summary: Very poor on some topics
Review: This book covers some topics such as code access security really well but others like ASP.NET security really badly.

The ASP.NET section is almost useless - so few pages and so little information.

It would have been better if the book had been called .NET code access security and didn't bother with the other stuff.

Rating:
Summary: A great starting point
Review: This book is an excellent starting point for understanding the .NET framework security mechanisms. Especially code access security.

Its only real failings are the lack of depth in a few obscure areas (details around simulating permissions that might be granted to an app deployed via the Internet and hosted in IE).

You could glean most of this information from the internet and spend a month doing it, like I did. Or spend $$$ and few hours reading this well written book.

Rating:
Summary: A great starting point
Review: This book is an excellent starting point for understanding the .NET framework security mechanisms. Especially code access security.

Its only real failings are the lack of depth in a few obscure areas (details around simulating permissions that might be granted to an app deployed via the Internet and hosted in IE).

You could glean most of this information from the internet and spend a month doing it, like I did. Or spend $$$ and few hours reading this well written book.

Rating:
Summary: A dictionary of .Net security terms
Review: This book was great. It did not just scratch the surface like most books, but it went into depth where it was needed. This is the book to have for .NET Security.