.NET Security

First chapter starts off with a introduction to Cryptography, good for
someone who is just starting off learning about cryptography, a good
refresher for others who already know about the basics of cryptography.
Second chapter then goes on to talk about how the various cryptography
classes have been implemented in the .NET framework and how they can be
used. They talk about both symmetric and asymetric algorithms, Random Number
Generation, Hashing etc. They even mention Salting, something that's not
very well documented.
Third chapter talks about Xml Encryption and including Digital Signatures in
Xml Documents, this specification was so new when .NET came out that I was
surprised to see the Xml Signature implementation in the System.Security
namespace, the downside though as a result was very little documentation,
not any more though, the third chapter talks about everything one needs to
know about Xml Encryption and Signatures in detail.
The fourth chapters goes into a good amount of detail on Code Access
Security. The authors show a good mix of managing security using both code
and also using the Control Panel utilities. They go on to write and deploy
their
own permission class.
The rest of the book talks about Security when using Remoting and also Role
Based Security, in short they talk about
security considerations in every kind of scenario. The chapters on ASP.NET
security and MS Passport were not that useful to me though since those
topics have pretty much been beaten to death by every ASP.NET book out
there. Oh yes the last chapter on the risks of decompiling .NET assemblies
and suggestions on how to mitigate that was a good read.
APress seems to have developed a knack for publishing books that are thin
and to the point, this one is no exception, I'd give this book an 8 on 10. I
would've given it a higher rating if it would've talked about the
AllowPartiallyTrustedCallersAttribute, I think a discussion of CAS is
incomplete without the mention of this attribute.

Other books out there that cover Security in .NET are the following
1. .NET Framework Security(

http://www.amazon.com/exec/obidos/ASIN/067232184X/ ). I saw the table of
contents for this book, it pretty much covered everything this book covers,
this book was a whole lot thicker though, so I did thumb thru it at [a local store], thought the first 3 chapters or so were useless as they talked about
security risks, thought that was pointless since I know pretty much what the
risks are hence I am reading about security :), thought the .NET Security book by APress book
covered pretty much everything that this book has and in a more concise way...

Rating:
Summary: A terse introduction only...
Review: I bought this book in hopes it would add to the excellent information in the book ".NET Framework Security".

Alas, the book's various topics are only given lip service.

If you're looking for a hard core analysis of code access security, only buy this as a secondary reference.

Rating:
Summary: Unfortunately, only good for a solid overview
Review: It covered all the topics you would expect, but it is mostly a just a good overview of .NET security. I expected more in-depth coverage for a book titled as such. It has only a very brief overview of encryption algorithms without enough real world examples in my opinion, being an advanced .NET programmer but new to the issue of security.

The book is actually quite thin compared to its competition, so that should have tipped me off. You could go through it in a couple of days, but the price doesn't reflect that. I was really impressed with the .NET Programming with C# book from the same (small) publisher, so I was really hoping for a lot more. Consider the table of contents and decide for yourself whether this books warrants a purchase. It's a reasonably new topic of course so there are only a few other choices out there right now.

Rating:
Summary: Unfortunately, only good for a solid overview
Review: This is a very good book for anyone new to .NET and or security. The .NET documentation is missing in several areaas and this book helps fill in the gaps that the docs have in security. But this book IS NOT a regurgitation of what I can find in the docs. It is new material

The first couple of chapters make it very clear how to do encryption with .NET. This is the first time I have seen an explanation for what the IV key is for in the encryption algorithms.

I was pleasantly surprised to see the discussion in chapter 3 about XML encryption. The standards for this are just coming into scope and this chapter does a nice job of describing what is happening in this space.

Code access security is a tught topic to cover in a short chaptyer but the authors do a good job. Again, there is a lot of hype about code access security but you have to look hard to find any real information about it. While I don't have to worry about this right now, this chapter gave me a good understanding of what is possible and how to do it.

I also found the last chapters on remoting and ASP.NET interesting and learned a few things in each chaptyer.

Is this book a 'cover everything including the kitchen sink' refernce? No. But it is a very good book for anyone who wants a good, solid introduction to the capabilities of .NET security and cryptography. And for me, that is important! Give me information that I can use and work with now. Not more reference material that I need to digest and sort through.

Rating:
Summary: A Good Starting Book
Review: This is a very good book for anyone new to .NET and or security. The .NET documentation is missing in several areaas and this book helps fill in the gaps that the docs have in security. But this book IS NOT a regurgitation of what I can find in the docs. It is new material

The first couple of chapters make it very clear how to do encryption with .NET. This is the first time I have seen an explanation for what the IV key is for in the encryption algorithms.

I was pleasantly surprised to see the discussion in chapter 3 about XML encryption. The standards for this are just coming into scope and this chapter does a nice job of describing what is happening in this space.

Code access security is a tught topic to cover in a short chaptyer but the authors do a good job. Again, there is a lot of hype about code access security but you have to look hard to find any real information about it. While I don't have to worry about this right now, this chapter gave me a good understanding of what is possible and how to do it.

I also found the last chapters on remoting and ASP.NET interesting and learned a few things in each chaptyer.

Is this book a 'cover everything including the kitchen sink' refernce? No. But it is a very good book for anyone who wants a good, solid introduction to the capabilities of .NET security and cryptography. And for me, that is important! Give me information that I can use and work with now. Not more reference material that I need to digest and sort through.