-
Web Application Authentication
By:
Sahil Malik
Last updated: Tuesday, November 28, 2023
Published in: CODE Magazine: 2023 - November/December
Sahil takes a look at web app authentication in OIDC. Read a good, quick synopsis of OIDC: tokens, endpoints, and grants.
-
Top Azure Active Directory Mistakes
By:
Last updated: Tuesday, August 29, 2023
Published in: CODE Magazine: 2023 - September/October
Sahil examines some of the most common mistakes and misunderstood concepts that cause insecure applications in Azure Active Directory (Entra ID if you are on board with the new name for the product). The protocols he covers are portable to any identity platform. Some common mistakes and misunderstood conceptsinclude:: redirect URIs in identity protocols, mixing different types of OpenID Connect (OIDC) flows in a single app, managing client secrets, managed identities, and understanding token validation.
-
Cryptography
By:
Last updated: Thursday, December 8, 2022
Published in: CODE Magazine: 2023 - January/February
Keeping secrets is as old as letters and numbers themselves, and Sahil takes you on an entertaining romp through history to see how we got to where we are with encryption, and which technologies are still secure today.
-
Security and Same Origin Policies
By:
Last updated: Thursday, November 10, 2022
Published in: CODE Magazine: 2022 - November/December
Just when you’re thinking that you have this whole security thing covered, Sahil pokes a large hole in a common perception.
-
FIDO2 and WebAuthn
By:
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2022 - September/October
If your system relies on username and passwords for security, you may be in trouble. Sahil describes how an application can securely trust a user's identity using modern software and FIDO2 with WebAuthn in Azure.
-
YARP: I Did It Again
By:
Shawn Wildermuth
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2022 - September/October
Yet Another Reverse Proxy (YARP) might sound like something you’d rather not do, but Shawn shows you how it can improve performance if you’ve got microservices, load balancing issues, URL writing, or tight security issues. Learn "what is a reverse proxy?" and how to configure a reverse proxy.
-
Secure Microservices
By:
Alexander Pirker
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2022 - March/April
These days, microservices seem to be solving all the architectural issues in software development. They’re everywhere, and that’s a good thing, right? Alexander explains how to make sure this simple construct doesn’t leave you with a security problem.
-
Eliminate Secrets from Your Applications with Azure Managed Identity
By:
Julie Lerman
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2021 - July/August
When it’s time to deploy your app, and you’re using Azure SQL and Azure, you’re going to want to use Azure Managed Identity to authenticate and access the database. Julie shows you that it’s not even a little bit scary.
-
Can You Keep a Secret? Azure Can!
By:
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2021 - May/June
Learn how to leverage Microsoft Identity via Azure Active Directory (AAD) to secure a Web application. Julie shows you how to store a database’s connection string along with its elements in Azure Key Vault.
-
Implementing JWT Authentication in ASP.NET Core 5
By:
Joydip Kanjilal
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2021 - May/June
Learn to use JSON Web Tokens (commonly known as JWT) to secure the data that's transmitted over the wire between APIs and the clients that consume the APIs.
-
Blockchain: A Practical Application
By:
John Petersen
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2020 - November/December
Learn blockchain basics through sample code examples in VS Code and .NET Core, separate from a blockchain's use in digital currency. Understand block as a container of business data, a nonce value and the previous block's hash. Use a data class, a block class and a chain class.
-
Talk to an RD: Dr. Neil Roodyn and Markus Egger - Part 2
By:
Markus Egger
Last updated: Wednesday, June 9, 2021
Published in: CODE Magazine: 2020 - November/December
Microsoft MVPs Markus Egger and Dr. Neil Roodyn discuss that software should be designed with security in mind at the same level as features they are building. They also discuss Decentralized Identity; an identity you control rather than an ID for each major company whose services you use.
-
Managed Identity
By:
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2020 - July/August
Learn to use Managed identity in Azure Active Directory to minimze the number of passwords you need. Learn to use managed identities to access Microsoft Graph.
-
Modern Authentication
By:
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2020 - May/June
What does authentication mean in for applications working at Internet scale? Learn common tenets for the modern world (2020s).
-
A WPF Security System
By:
Paul Sheriff
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2020 - March/April
Discover a data-driven approach to make changes to a database table without updating security in your WPF application.
-
Managed Identity in Azure
By:
Last updated: Friday, April 2, 2021
Published in: CODE Magazine: 2019 - March/April
Sahil uses the cloud to secure source code. You never know when someone downstream might share code with the rest of the world, and Managed Identity helps keep the things private that need to be.
-
Security in Angular: Part 3
By:
Last updated: Monday, April 12, 2021
Published in: CODE Magazine: 2018 - November/December
In this third installment of his Angular security series, Paul addresses the Angular 6 release and shows you how to build an array of claims without single properties for security.
-
Understanding Blockchain: A Beginners Guide to Ethereum Smart Contract Programming
By:
Wei-Meng Lee
Last updated: Monday, April 26, 2021
Published in: CODE Magazine: 2018 - May/June
If you need your data secure, there’s probably no better way to ensure it than a Blockchain. Wei-Meng explains how it all works and then helps you build your own.
-
Securing IIS Web Sites with Let’s Encrypt Certificates
By:
Rick Strahl
Last updated: Thursday, May 6, 2021
Published in: CODE Magazine: 2018 - January/February
If HTTPS or HTTP over TLS and registering certificates has got you down, you’ll want to read Rick’s take on this required technology. He’ll show you how to keep your website safe and introduce you to some useful new technologies.
-
Extending Office 365: The Developer’s Architectural Guide
By:
Last updated: Wednesday, July 7, 2021
Published in: CODE Magazine: 2015 - July/August
Sahil pours his vast SharePoint prowess into building apps that put languages on equal footings with one another.
-
Service Account Management in SharePoint 2013
By:
Last updated: Thursday, September 2, 2021
Published in: CODE Magazine: 2014 - September/October
Managing security is very important, and SharePoint provides several ways to manage password accounts. Sahil gives us the story.
-
Taking the Mystery Out of Cryptocurrencies
By:
Chris Williams
Last updated: Friday, September 3, 2021
Published in: CODE Magazine: 2014 - September/October
Bitcoin has been in the news a lot lately. If you ever wondered how it worked, you’ll want to read what Chris has to say.
-
Windows Azure Active Directory
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2014 - March/April
Michiel van Otegem explains Software-as-a-Service by comparing various online products and shows you how to store information about users whether you use Active Directory or Windows Azure Active Directory in the cloud.
-
Getting to Know the Identity of .NET 4.5
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2013 - September/October
Since the release of .NET 1.0 more than ten years ago, the classes governing identity have remained unchanged. That’s a good thing, because identity and security is at the core of most applications, so you don’t want that to change very often. However, with the release of .NET 4.5, the identity model has changed significantly.
-
Log Users in to Your Web Application with OpenID or OAuth
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2013 - January/February
Users already have many usernames and passwords for different popular online services, and with OpenID and OAuth, you can leverage those. Why burden users with yet another set of credentials for your site if they can use their Google or Facebook account, or any other OpenID or OAuth account? In this article, I will show you how to do this with ASP.NET 4.5, but more importantly help you understand what’s going on behind the scenes.
-
Claims-Based Authentication and the Cloud
By:
Last updated: Wednesday, February 20, 2019
Published in: CODE Magazine: 2012 - January/February
I give up! I can’t really explain how the cloud works unless I cover the topic of authentication in the cloud first. If I didn’t tackle this topic first, I could only explain boring unauthenticated applications. The issue is, for all practical purposes the authentication fit for the cloud is claims based. There is no worldwide active directory you can rely on. There is no single aspnetdb.mdf database. What’s more, there are many kinds of authentications already - Facebook, Twitter, Google, OpenID, Windows Live ID, etc.
-
Licensing and Obfuscation
By:
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2010 - November/December
Software piracy runs rampant these days! You need to protect your code using a good licensing scheme and obfuscation. If you develop software for a living (and since you are reading this magazine, I assume you are), at some point you will most likely figure out how to protect your investment in that software. Two things you will need to do to accomplish this are to add licensing to your software, and to obfuscate your code so others cannot reverse engineer your hard work. These two tools are absolutely essential in your efforts to protect your software. This article will provide you with an overview on how you can use these tools to protect yourself from piracy.
-
Creating Self-Scaling Applications with Azure Services
By:
Certain, Jeff
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2010 - March/April
Microsoft’s Azure platform has finally been released into production. This new entry into the cloud computing market provides .NET developers with a scalable, robust platform for developing applications.After over a year in CTP, Azure is finally ready for prime time. At PDC 2009, Microsoft announced the release of new components, such as the management API, that make Azure worth considering for use in production environments. In this article, I’ll demonstrate how to use the different components of Azure Services to build a self-scaling application.
-
SharePoint Applied: To Kerberos or Not
By:
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2009 - September/October
Whenever you create a new SharePoint website, one of the questions SharePoint asks you is to select an authentication mechanism. Should it be NTLM or should it be Kerberos?The first time I installed SharePoint, I picked Kerberos, because it sounded like a tropical fruit, only to be prompted that this will need more work! Given that I’m the laziest person you know, I changed my selection to NTLM, and went with the less naggy version instead!
-
Performance Improvements in Internet Explorer 8 Beta 2
By:
Stockwell, Christian,
Leithead, Travis,
Seth, Gaurav
Last updated: Friday, September 25, 2020
Published in: CODE Focus Magazine: 2008 - Vol. 5 - Issue 3 - IE8
Great performance is one of many things being delivered in Internet Explorer 8 Beta 2, the latest version of the popular browser. Beyond a much faster JScript engine, Internet Explorer 8 Beta 2 includes profound performance improvements and exciting new developer features that make it one of the most exciting browser releases in years.
-
Reliability and Privacy with Internet Explorer 8 Beta 2
By:
Zeigler, Andy
Last updated: Wednesday, August 31, 2022
Published in: CODE Focus Magazine: 2008 - Vol. 5 - Issue 3 - IE8
Reliability and privacy are two must-have features for every Web user. To that end, Internet Explorer 8 Beta 2 introduces powerful and easy-to-use features that improve the dependability of your browsing experience and the security of your personally identifiable information. Read on for all the details.
-
Secure Coding with Internet Explorer 8 Beta 2
By:
Lawrence, Eric
Last updated: Wednesday, August 31, 2022
Published in: CODE Focus Magazine: 2008 - Vol. 5 - Issue 3 - IE8
The Internet Explorer team has made significant investments to ensure that Internet Explorer 8 Beta 2 is the most secure version to date.Many of these improvements (like the SmartScreen anti-phishing/anti-malware filter) operate automatically and require no changes to Web pages or add-ons. However, other security improvements will impact Web applications and browser add-ons. This article describes how to take advantage of these new Internet Explorer security features to help protect Web users and applications.
-
Windows Live Delegated APIs
By:
Roodyn, Neil
Last updated: Wednesday, August 31, 2022
Published in: CODE Focus Magazine: 2008 - Vol. 5 - Issue 2 - Windows Live
The smart way to share data between computers and other people is to place it in an online Internet store, which the other parties can access, but you want to make sure only the right people can access your data. This article will help you understand how the Windows Live delegated authentication system is used to access certain Windows Live data stores and the technologies Microsoft is building to make this work easier for you.
-
Never Write an Insecure ASP.NET Application Ever Again
By:
Kiely, Don
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2008 - January/February
One of the most important security principles for software development is least privilege.Simply put, least privilege means that an application, process, or user should have the least access to resources required to accomplish a task and no more. By following this principle, even if your application is attacked or a user goes on the payroll of your nastiest competitor, you’ll have limited the potential damage. Bottom line: implementing partial trust in ASP.NET is the single biggest thing you can do to make your applications secure.
-
All Input Data is Evil-So Make Sure You Handle It Correctly and with Due Care
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2007 - May/June
IT professionals agree that input is a big source of trouble. Input ultimately determines how applications work and wrong or malicious input may cause serious damage. It is extremely important that developers have this fact firmly in mind and consequently apply adequate countermeasures. Starting from the perspective that all input is evil is a good approach. Reasoning in terms of a whitelist instead of a blacklist is another excellent strategy. Working with strongly typed data is the third pillar of secure applications. This article discusses the role of input data and related attacks in the context of ASP.NET applications.
-
SQLCLR Security and Designing for Reuse
By:
Machanic, Adam
Last updated: Wednesday, February 20, 2019
Published in: CODE Magazine: 2007 - May/June
An important principal of software design is that of “least privilege.”Basically, in any given layer of a program, you should only grant minimal access such that the code has rights to only exactly the resources it needs to get its job done-and nothing more. Most SQL Server developers understand this concept: one of the main reasons to use stored procedures is to encapsulate permission to data behind controlled and auditable interfaces, thereby not giving the caller direct access.
-
Protect Your Downloadable Files Using HTTP Handlers
By:
Miguel Castro
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2007 - March/April
So you finally have a product to sell, and a site to sell it on. But wait; how do you prevent unauthorized users from downloading your products? Forms Authentication provides only part of the solution. In this article, I’ll show how to prevent specific users from accessing specific files on your site; even by browsing directly to them.
-
Abstract Security, Concrete Safety
Last updated: Wednesday, February 20, 2019
Published in: Book Excerpts, Newsletters
If you are a developer of embeddable software, or are looking to follow best practices, you have a few options for how to architect security within your own product. In this article, Izenda Software Architect Mason Costa compares available methods and uses the example of abstracting security to demonstrate not only best practices, but as a way for programmers to provide extensibility while avoiding the burdens posed by custom implementations.
-
PART I Introduction
Last updated: Thursday, February 21, 2019
Published in: Book Excerpts
“From a drop of water . . . a logician could infer the possibility of an Atlantic or a Niagara without having seen or heard of one or the other. So all life is a great chain, the nature of which is known whenever we are shown a single link of it. Like all other arts, the Science of Deduction and Analysis is one which can only be acquired by long and patient study nor is life long enough to allow any mortal to attain the highest possible perfection in it. Before turning to those moral and mental aspects of the matter which present the greatest difficulties, let the enquirer begin by mastering more elementary problems.”-Sherlock Holmes in A Study in Scarlet
-
Fundamentals of WCF Security
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2006 - November/December
Windows Communication Foundation (WCF) is a secure, reliable, and scalable messaging platform for the .NET Framework 3.0.With WCF, SOAP messages can be transmitted over a variety of supported protocols including IPC (named pipes), TCP, HTTP and MSMQ. Like any distributed messaging platform, you must establish security policies for protecting messages and for authenticating and authorizing calls. This article will discuss how WCF accomplishes this.
-
Security in the CLR World Inside SQL Server
By:
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2006 - March/April
One of the major benefits of writing .NET code to run in the Common Language Runtime (CLR) hosted in any environment is code access security (CAS).CAS provides a code-based-rather than user-based-authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005’s own, newly enhanced security features? By default your .NET code is reasonably secure, but it’s all too easy for the two security schemes to butt heads and cause you grief. In this article I’ll look briefly at the concept behind CAS and a few new security features in SQL Server 2005, then explore how to make the two systems work for you instead of against you as you take advantage of these advanced programming features in SQL Server.
-
Manage Custom Security Credentials the Smart (Client) Way
By:
Lowy, Juval
Last updated: Wednesday, February 20, 2019
Published in: CODE Magazine: 2005 - November/December
Both Internet and intranet applications often require a custom store for user accounts and roles. ASP.NET 2.0 provides an out-of-the-box provider model as well as a SQL Sever database just for that propose. Unfortunately, the only way to administer the credentials databases is via Visual Studio 2005, and only for local Web applications. This article presents a full-blown custom security management application that administrators can use. The application wraps the ASP.NET 2.0 providers with a Web service and even adds missing features. This article presents the design approaches, challenges, and techniques involved in developing such an application. The article also walks you through some powerful yet useful techniques such as interface-based Web services, reflection-based Web service compatibility, advanced C# 2.0, Web services security, and Web services transactions.
-
Security Is Job One!
By:
Rod Paddock
Last updated: Thursday, December 16, 2021
Published in: CODE Magazine: 2005 - September/October
Rod Paddock Editorial Article - September/October 2005 Issue
-
SQL Server 2005 Secures Your Data Like Never Before
By:
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2005 - September/October
If you care about your data, you must upgrade to SQL Server 2005 the day it is released. There simply is no other option.An outrageous assertion? Perhaps. I tend to split my time equally between praising and bashing Microsoft, but the new security features and tools in SQL Server 2005 will be mandatory for protecting your data from today's increasingly sophisticated attacks. Most importantly, SQL Server 2005's many layers of security provide for defense in depth in which layer after layer of protection helps keep data safe.
-
Using the New Security Controls in ASP.NET 2.0
By:
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2005 - September/October
ASP.NET 2.0 comes with several new security controls (located under the Login tab in the Toolbox; see Figure 1) that greatly simplify the life of a Web developer. Using the new security controls, you can now perform tasks such as user logins, registration, password changes, and more, with no more effort than dragging and dropping controls onto your Web form. In this article, I will show you how you can use these new controls to perform user authentication.
-
.Finalize() - Making Sausages
By:
Getz, Ken
Last updated: Thursday, February 21, 2019
Published in: CODE Magazine: 2004 - November/December
Ken Getz' .Finalize() column.
-
.Finalize() - Keeping Secrets
By:
Last updated: Wednesday, February 20, 2019
Published in: CODE Magazine: 2004 - July/August
Ken Getz' .Finalize() column.
-
Managing .NET Code Access Security (CAS) Policy
By:
Mayo, Joe
Last updated: Wednesday, August 31, 2022
Published in: CODE Magazine: 2004 - May/June
Code Access Security (CAS) is the .NET Common Language Runtime (CLR) mechanism for maintaining security based on the identity of code.Most developers don't have to work with CAS on a daily basis because the .NET Framework libraries take care of much of the work involved in securing code. However, when you do need to work with CAS, having a good understanding of CAS policy management is essential. Waiting until the eleventh hour in the project lifecycle and realizing that you need to configure security policy is painful. For example, if you have a Smart Client application that runs over Internet Explorer, you will need to consider what permissions your application requires and how you are going to configure policy so that your code will run on a client machine. Or, suppose that your application defined a custom permission for a scenario not already covered by the permissions that ship with .NET. Here again you need to understand CAS policy. This article discusses the essential elements of CAS (evidence, permissions, and policy), shows how .NET CAS policy works, and explains reasons for making various policy decisions.
-
Use Generics to Create an Audit Trail
By:
Deborah Kurata
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2004 - May/June
Building an audit trail into your application provides a mechanism for tracking who updated what when, and the new generics feature in Whidbey helps you build that trail.The Whidbey release of .NET will include a new Common Language Runtime (CLR) feature called generics. Generics allow you to use a variable to represent a desired data type, and thereby create very generic code (hence the name) that works with any data type.You define the data type for the generic variable at run time and the CLR substitutes that data type for the variable everywhere in the code that it is used; basically providing you with strongly typed generic code.
-
Are You Insecure?
By:
Last updated: Tuesday, February 19, 2019
Published in: Publisher's Point, Markus Egger Talks Tech
Markus Egger talks about developing secure applications.
-
Create Bulletproof Components with COM Security
By:
Ellen Whitney
Last updated: Thursday, November 24, 2022
Published in: CODE Magazine: 2000 - Summer, Markus Egger Talks Tech
COM+ gives the developer a way to build a flexible and powerful security system into applications without having to write a lot of custom code.This article will examine how to leverage the power of the COM+ security model.
-
.NET Web Services Security
By:
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2003 - July/August
Web services are all about connecting businesses in a standard and secure manner.For a real-life Web service, security is intrinsic to every facet of operation and no party would ever agree to interact with a non-secure Web service. Unfortunately, Web services security is still in its infancy; standards such as WS-I are just emerging and there is no built-in support in the development tools for them. That being said, there are quite a few programming techniques you can use today in .NET 1.1 to secure your Web services, and do so in a way that will ease the transition to future standards and protocols.
-
Auto-Deploying Windows Forms .NET Applications: The Revenge of the Fat Client
By:
Correa, Hector
Last updated: Wednesday, February 20, 2019
Published in: CODE Magazine: 2003 - July/August
.NET provides new tools to make deployment of fat client .NET applications easier.This article describes the basics of .NET Auto-Deployment technology and the security mechanism that prevents users from inadvertently running code distributed by hackers and virus writers.
-
Cryptography the .NET Way
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2003 - July/August
In real-world applications you just can't do without encryption.The problem with cryptography, though, is that sometimes it may make you use an overly complex API. The .NET Framework classes for cryptography don't require you to become an expert mathematician or a cryptography guru. In the .NET Framework you'll find symmetric and asymmetric cryptographic providers as well as hash providers. Some of these provider classes end up calling into the unmanaged CryptoAPI library while other parts of the .NET cryptography solution are purely managed code.
-
Interview with Microsoft's Steve Lipner
By:
Stevenson, David
Last updated: Wednesday, November 30, 2022
Published in: CODE Magazine: 2002 - November/December
David Stevenson interviews Steve Lipner, Microsoft's Director of Security Assurance; the article discusses how Microsoft is implementing security in their applications.
-
Securing Your SQL Server
By:
Talmage, Ron
Last updated: Wednesday, February 20, 2019
Published in: CODE Magazine: 2002 - November/December
SQL Server, like most complex databases, has potential security holes. This article discusses these security holes and how to close them.
-
Stateful Network-Deployable .NET Components Use Isolated Storage
Last updated: Thursday, February 21, 2019
Published in: CODE Magazine: 2002 - November/December
Sometimes an application needs to keep its data in its own secure "sandbox". This article demonstrates creating these isolated applications in .NET.
-
Threat Modeling
By:
Howard, Michael
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2002 - November/December
The first step in securing your application is to understand threats. This article discusses how to understand where your application may be threatened.
-
Understanding the Crypto API
By:
Feldstein, Alex
Last updated: Tuesday, February 19, 2019
Published in: CODE Magazine: 2002 - March/April
You know about the importance of securing your data.But, how do you add industrial strength security to your program? The answer is simple: use the Windows Crypto API.
-
Taking Advantage of ADSI
By:
Mrozowski, Paul
Last updated: Wednesday, November 30, 2022
Published in: CODE Magazine: 2001 - Issue 1
Active Directory Service Interfaces (ADSI) is a COM-based set of interfaces that allow you to interact with and manipulate directory service interfaces.That means it's a cool way for scripts and code to add users, change passwords, create network groups, control IIS programmatically, and start and stop services. In this article, I'll cover the basic ADSI syntax and give you some example code to use in your own applications.
- Home
Articles filed in category 'Security'