So, first of all, it depends on what you mean by "secure". Do the security mechanisms inside .NET allow developers to write applications that ensure the authenticity of code that it comes from a trusted source? Absolutely. Are there authorization and authentication mechanisms baked into .NET? Sure are. Does it force developers to lazily ignore these mechanisms and write un-secure applications? You bet. Microsoft is going to begin a campaign in 2002 that will be targeted at teaching developers how to take advantage of the new security features in .NET. On January 16th, Bill Gates sent a letter to each of Microsoft's 47,000 employees outlining a new company wide strategy called "Trustworthy Computing". To quote the memo: "If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing..." So it sounds like Microsoft got the Security Religion. Stay tuned ...
By the way, it is interesting to note that a report of a virus called W32/Donut popped up January 9th. Plenty of Microsoft-bashed Microsoft, including industry pundits and "experts". Then, it was discovered that this is not a virus that is a result of .NET, but rather is an existing flaw in Windows security that happens to infect .NET files. Tony Goodhew, product manager for the .NET Framework said the following on January 10th: "This is not a .NET virus. It's a Windows virus that infects .NET files ...It's not running in the .NET Framework as managed code. It's not finding some hole in the security model and exploiting it."
Should you be concerned? When it comes to security, I think all developers and organizations should have a high degree of concern about security. Should you be OVERLY concerned to the point where you don't benefit from all that .NET offers? Absolutely not. Just educate yourself on how to implement the security features that best apply to your organization.
This was first published in January 2002