|
I'm tempted to stick my neck out for Microsoft and
proclaim that .NET is totally secure.
But you and I (and Microsoft) know that this is
unrealistic. Despite Larry Ellison's
claims that Oracle is 100%, without a doubt secure, no
software is completely immune
to some form of attack. A great book that provides an
overview of the various and sundry forms
that malicious attacks can take is "Secrets and Lies: Digital Security in a Networked World" by
Bruce Schneier.
So, first of all, it depends on what
you mean
by "secure". Do the security mechanisms inside .NET
allow developers to write applications
that ensure the authenticity of code that it comes
from a trusted source? Absolutely. Are there
authorization and authentication mechanisms baked into
.NET? Sure are. Does it force developers
to lazily ignore these mechanisms and write un-secure
applications? You bet. Microsoft is
going to begin a campaign in 2002 that will be
targeted at teaching developers how to take
advantage of the new security features in .NET. On
January 16th, Bill Gates sent a letter
to each of Microsoft's 47,000 employees outlining a
new company wide strategy called
"Trustworthy Computing". To quote the memo: "If we
don't do this, people simply won't be
willing -- or able -- to take advantage of all the
other great work we do. Trustworthy Computing
is the highest priority for all the work we are
doing..." So it sounds like Microsoft
got the Security Religion. Stay tuned ...
By the way, it is interesting to note that a report of
a virus called W32/Donut popped up January 9th.
Plenty of Microsoft-bashed Microsoft, including
industry pundits and "experts". Then, it was
discovered that this is not a virus that is a result
of .NET, but rather is an existing flaw
in Windows security that happens to infect .NET files.
Tony Goodhew, product manager for the .NET
Framework said the following on January 10th: "This is
not a .NET virus. It's a Windows virus
that infects .NET files ...It's not running in the
.NET Framework as managed code. It's not finding
some hole in the security model and exploiting it."
Should you be concerned? When it comes to security, I
think all developers and organizations should
have a high degree of concern about security. Should
you be OVERLY concerned to the point where
you don't benefit from all that .NET offers?
Absolutely not. Just educate yourself on how to
implement the security features that best apply to
your organization.
|
