for an example if you have a legacy system (e.g. MF) and you need to write your own low level procedures to handle encryption then

this RFC is for you.(RFC2527)

 

here is a good blog post of how to use the winhttpcertcfg.exe utility to attach x509 certificate to the working process.

 

 

 

 

 

This code sample demonstrate how to check the identity of the caller at the component level, this method can be used to be sure that only the BL layer calling to the DAL.

 

//
// Class library example to demonstrate StrongNameIdentityPermission and
// StrongNameIdentityPermissionAttribute.
using System;
using System.Security.Permissions;
using System.Reflection;
//[assembly: AssemblyVersion("1.0.*")]
//[assembly :AssemblyKeyFile(@"c:\mykey.snk")]
namespace SignedLib
{

    public class Signed
    {
        // Read the windir environment variable.
        public void GetWindirImperative()
        {
            try
            {
                // Use Sn.exe to generate the byte array for the public key.
                byte[] b1 = { 0, 36, 0, 0, 4, 128, 0, 0, 148, 0, 0, 0, 6, 2, 0, 0, 0, 36,
                    0, 0, 82, 83, 65, 49, 0, 4, 0, 0, 1, 0, 1, 0, 237, 146, 145, 51, 34,
                    97, 123, 196, 90, 174, 41, 170, 173, 221, 41, 193, 175, 39, 7, 151,
                    178, 0, 230, 152, 218, 8, 206, 206, 170, 84, 111, 145, 26, 208, 158,
                    240, 246, 219, 228, 34, 31, 163, 11, 130, 16, 199, 111, 224, 4, 112,
                    46, 84, 0, 104, 229, 38, 39, 63, 53, 189, 0, 157, 32, 38, 34, 109, 0,
                    171, 114, 244, 34, 59, 9, 232, 150, 192, 247, 175, 104, 143, 171, 42,
                    219, 66, 66, 194, 191, 218, 121, 59, 92, 42, 37, 158, 13, 108, 210,
                    189, 9, 203, 204, 32, 48, 91, 212, 101, 193, 19, 227, 107, 25, 133,
                    70, 2, 220, 83, 206, 71, 102, 245, 104, 252, 87, 109, 190, 56, 34, 180 };

                // Specify the version of the calling assembly.
                Version v1 = new Version("1.0.0.0");
                StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob(b1);
                Console.WriteLine(ComparePublicKeys() ? "Calling assembly has same key as this assembly " : "Calling assembly has different key than this assembly");
                // Create different permissions to exercise the set operations.
                StrongNameIdentityPermission snPerm = new StrongNameIdentityPermission(blob, "StrongNamedExe", v1);
                snPerm.Demand();
                // Return the location of the Windows directory that is found in
                // the windir environment variable.
                Console.WriteLine(Environment.GetEnvironmentVariable("windir"));
            }
            catch (Exception e)
            {
                Console.WriteLine("Exception thrown in called assembly: " + e.Message);
            }
        }
    // Use an attribute to demand that the calling assembly has a specific strong name key.
    // Use Sn.exe to generate the public key string used for the demand.
    [StrongNameIdentityPermissionAttribute(SecurityAction.Demand, PublicKey =
        "0024000004800000940000000602000000240000525341310004000001000100ed92913322617b" +
        "c45aae29aaaddd29c1af270797b200e698da08ceceaa546f911ad09ef0f6dbe4221fa30b8210c7" +
        "6fe004702e540068e526273f35bd009d2026226d00ab72f4223b09e896c0f7af688fab2adb4242" +
        "c2bfda793b5c2a259e0d6cd2bd09cbcc20305bd465c113e36b19854602dc53ce4766f568fc576d" +
        "be3822b4")]
        public void GetWindirDeclarative()
        {
            try
            {
                // Return the location of the Windows directory that is found in
                // the windir environment variable.
                Console.WriteLine(Environment.GetEnvironmentVariable("windir"));
            }
            catch (Exception e)
            {
                Console.WriteLine("Exception thrown in called assembly: " + e.Message);
            }
        }
        public static bool ComparePublicKeys()
        {
            try
            {
                Assembly callingAssembly;

                // Create a target object.
                Int32 integer1 = new Int32();
                Type type1;

                // Set the Type instance to the target class type.
                type1 = integer1.GetType();

                // Create an instance of the assembly class to house the Integer type. 
                callingAssembly = Assembly.GetAssembly(integer1.GetType());

                // Display the name of the calling assembly.
                Assembly entryAssembly = Assembly.GetEntryAssembly();
                string mainAssembly = entryAssembly.FullName;

                Console.WriteLine("Calling assembly = " + entryAssembly.FullName);

                // Get the name of the assembly being called (this assembly).
                string thisAssembly = Assembly.GetCallingAssembly().FullName;

                Console.WriteLine("Called assembly=" + thisAssembly);

                int tokenIndex1 = thisAssembly.LastIndexOf("PublicKeyToken");
                int tokenIndex2 = mainAssembly.LastIndexOf("PublicKeyToken");
                string testString1 = thisAssembly.Substring(tokenIndex1, 31);
                string testString2 = mainAssembly.Substring(tokenIndex2, 31);

                return testString1.Equals(testString2);
            }
            catch
            {
               // Console.WriteLine("This is an unexpected exception");
                throw;
            }
        }
    }
}

 

 

 

here is a good reference for implementing security best practices on your application.

you can find it here

 

first you can download free ajaxs library from http://ajax.asp.net/Default.aspx

there is a good tool to look for Ajax vaulnerabilities called Sprajax, you can find all the sources at the OWASP project at: http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project

 

 

 

Sprajax README

Introduction

Sprajax is an open-source tool for assessing the security of AJAX-enabled web applications.  Sprajax-specific code has been released under the GNU Lesser GPL (LGPL).  Code for supporting libraries (C# spider and Dynamic WebServices Library) is released under the licenses outlined in their source code directories.  Code from other projects is used pursuant to their licenses and is used without the endorsement of the original authors.

 

For more information about sprajax, please check out the official sprajax page: http://www.denimgroup.com/sprajax/

 

Also, I talk about sprajax issues pretty frequently on the Denim Group blog: http://denimgroup.typepad.com/

Contents

The sprajax deployment package contains code and binaries for the sprajax tool, supporting libraries, as well as an example Microsoft Atlas AJAX-enabled application.

README.doc

This document.

DenimGroup.Sprajax Folder

This contains the main sprajax Visual Studio .NET solution.  The database projects contained need to be installed into a SQL Server 2005 database and the connection string can be entered on the main sprajax screen.

DenimGroup.Sprajax.DemoSite

This contains a demonstration Microsoft Atlast AJAX-enabled web application that helps to illustrate the capabilities of the Sprajax tool.

cssspider Folder

This contains the source and binaries for the modified C# Spider adapted from the work of  Jeff Heaton (www.jeffheaton.com).  This spider code is the basis for the footprinting functionality in sprajax.

DWSL1.5_DotNET20 Folder

This contains the source and binaries for the modified Dynamic Web Services Library adapted from the work of Christian Weyer of Thinktecture (www.thinktecture.com).  This web services code is the basis for the calls made to web services when fuzzing Microsoft Atlas AJAX applications.

DenimGroup.Sprajax.GWT.DemoSite

This contains a prototype Google Web Toolkit (GWT) application, but this is not finished and GWT support is still not operational.

Getting Started

1. Install the database scripts from the DenimGroup.Sprajax VS.NET solution and stored procedures into a SQL Server 2005 database.  Determine the database connection string because it will be needed later.
2. Change the connection string in the DenimGroup.Sprajax.DemoSite
3. Run the DenimGroup.Sprajax.DemoSite project
4. Run the DenimGroup.Sprajax project
5. Change the connection string in the sprajax tool
6. Change the URL (if required) to match the location where the DenimGroup.Sprajax.DemoSite web application
7. Click the "Footprint Application" button and wait for sprajax to footprint the web application.  This involved spidering the application and may take a minute or so depending on the size of the application
8. Click the "Fuzz Application" button and wait for sprajax to fuzz the web services.  This may take quite a while depending on the number of web services being fuzzed and Visual Studio may give STA threading warnings (have to work on those…)
9. When sprajax finishes fuzzing the web services, click the "Show Results" button to see the JavaScript files found, Atlas frameworks detected as well as the web services, methods and parameters available in support of AJAX functionality.  View the data grid at the bottom to see calls that caused exceptions along with the input parameters.  Look at the exception messages and stack traces to diagnose potential security flaws in the target application.

Known Issues

• The actual AJAX-y behavior of the example site is all screwed up right now, but sprajax can still detect all the constructs and fuzz them as required.
• STA threading warning occur (and the UI temporarily freezes up) when running the fuzzing routines.  I need to clean this up.
• Requiring a SQL 2005 database is a pain, so in the next version there will be a data handler for single-session-only results that won't require a database backend.

 

Email dan@denimgroup.com with patches, suggestions or questions.

 

 

CodePlex is an online collaborative software development portal for community-oriented projects. Create new projects to share with developers around the world, join existing projects, or use the applications on this site and provide feedback

 

The blog can be found here

Windows Vista Application Development Requirements for User Account Control Compatibility is available here

 

I'm proud to announce a hacking contest that will be held in the first day of Tech-Ed

The winner will be the one who will penetrate the system and will succeed to hack the application. The winner will win Ipod Nano. J

 

More details will be posted soon

To build software that meets your security objectives, you must integrate security activities into your software development lifecycle. This handbook captures and summarises the key security engineering activities that should be an integral part of your software development processes.

Visual Studio 2005 Security Features and Tools New Security Features in Visual Studio 2005 Visual Studio 2005 makes it easier for developers to write secure applications. Microsoft Security Content Strategist Brian Johnson shows off some of the new security tools built right in to the IDE.    Visual Studio 2005 Team System: Building Robust and Reliable Software To develop robust and reliable software, developers need an integrated set of analysis tools that help them in detecting code defects and performance problems earlier in the development cycle. Microsoft’s Kamran Iqbal goes over some of the functionality in Visual Studio 2005.    Are You Protected? Design and Deploy Secure Web Apps with ASP.NET 2.0 and IIS 6.0 Web applications are among the most common computing services that are exposed to the Internet, and thus they pose an inviting target to anyone who wants to break into your network to steal sensitive information, tamper with your data, or otherwise compromise your system.    Best Practices: Fast, Scalable, and Secure Session State Management for Your Web Applications Due to the stateless nature of the HTTP protocol, Web applications have always shouldered the burden of user state management. Fortunately, ASP.NET provides a number of ways to maintain user state, the most powerful of which is session state.    Security Enhancements in the .NET Framework 2.0 .NET 2.0 is a boon for developers who care about security. Keith Brown explains some of the new security functionality in .NET 2.0.    Safe!: Repel Attacks on Your Code with the Visual Studio 2005 Safe C and C++ Libraries In Visual Studio 2005, you'll notice that it includes a major upgrade to the Visual C++ Libraries. This upgrade resulted from a complete security review of the functions contained in the C Runtime (CRT) Library, Standard C++ Library (SCL), Active Template Library (ATL) and Microsoft Foundation Classes (MFC). This extensive review mandated substantial changes that can improve the security and robustness of your apps. Martyn Lovell in the Microsoft Visual C++ team describes these changes in detail.    Visual Studio 2005 Security Features: Watch and Learn Application Verifier Application Verifier (Low Bandwidth) ASP.NET 2.0 (Section 1) ASP.NET 2.0 (Section 1) (Low Bandwidth) ASP.NET 2.0 (Section 2) ASP.NET 2.0 (Section 2) (Low Bandwidth) Code Analysis/FxCop Code Analysis/FxCop (Low Bandwidth) Code Coverage Code Coverage (Low Bandwidth) C++ /GS Buffer Security Check Switch C++ /GS Buffer Security Check Switch (Low Bandwidth) Partial Trust with .NET 2.0 and VS 2005 Partial Trust with .NET 2.0 and VS 2005 (Low Bandwidth) PREfast and SAL PREfast and SAL (Low Bandwidth) Random .NET 2.0 Security Features Random .NET 2.0 Security Features (Low Bandwidth) SafeCRT Libraries SafeCRT Libraries (Low Bandwidth) VSTS Check-In Policies and Integrated Bug Tracking VSTS Check-In Policies and Integrated Bug Tracking (Low Bandwidth)

Web developers cannot have failed to notice the excitement surrounding AJAX or Asynchronous JavaScript And XML. The ability to create intelligent web sites such as Google Suggest or compelling web-based applications such as Gmail is thanks in no small part to this technology. There is, however, a darker side - and accompanying the growth in AJAX applications we have noticed an equally significant growth in security flaws, with the potential to turn AJAX-enabled sites into a time bomb.

 

if you need to apply a strong name to an assembly that was provided, already compiled, to you and you don't have the source? You first will need to produce the Microsoft intermediate language (MSIL) for the assembly using the ILDASM.EXE utility, then use an assembly key file to sign that MSIL into a new DLL using the ILASM.EXE utility.

1. Obtain the MSIL for the provided assembly
   From a VS.NET command prompt, enter the following:
   c:\>ildasm providedAssembly.dll /out:providedAssembly.il
   
2. Rename/move the original assembly
   I just tack on ".orig" to the filename.
   
3. Create a new assembly from the MSIL output and your assembly keyfile
   Assuming you already have an assembly key pair file (if not, see #1 in previous steps), do the following from a VS.NET command prompt:
   c:\>ilasm providedAssembly.il /dll /key=keypair001.snk
   

Thanks to

Nauman Leghari's Blog

for this links :

 

 

Chapter 1: Introduction to the .NET Compact Framework

 

Fundamentals of Microsoft .NET Compact Framework Development for the Microsoft .NET Framework Developer

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/net_vs_netcf.asp?frame=true>

 

What's New in Smartphone 2003

 

<http://msdn.microsoft.com/library/en-us/dnwmnew/html/manew_sp03.asp?frame=true>

 

Develop for Windows Mobile 2003 for Smartphone Using the .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnsmtphn2k3/html/Smartphone_2003.asp?frame=true>

 

An Introduction to Microsoft SmartPhone, and Programming SmartPhone using C#

 

<http://www.codeproject.com/netcf/SmartphoneIntroCSharp.asp>

 

Design Considerations for Microsoft Smartphone Applications

 

<http://www.oreillynet.com/pub/a/wireless/2004/01/07/smartphone.html>

 

Chapter 2: The Smartphone User Interface

 

Write Apps for the Smartphone without Dumbing Down Your UI

 

<http://www.devx.com/wireless/Article/21291>

 

Creating a Multiple Form Application Framework for the Microsoft .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfuiframework.asp?frame=true>

 

How to Create a Microsoft .NET Compact Framework-based Image Button

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/ImageButton.asp?frame=true>

 

Crafting Smartphone User Interfaces Using .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnsmtphn2k3/html/grfCraftingSmartphoneUserInterfacesUsingNETCompactFramework.asp?frame=true>

 

Develop for the SmartPhone Using Techniques You Already Know

 

<http://www.devx.com/wireless/Article/17968>

 

Chapter 3: Smartphone Controls

 

Creating Controls by Hand in the .NET Compact Framework

 

<http://www.devx.com/getHelpOn/10MinuteSolution/17430>

 

.NET Compact Framework Sample: Hosting A Native Windows Control

 

<http://www.microsoft.com/downloads/details.aspx?familyid=794f5e1a-984b-474f-8139-a1a64c595151&displaylang=en>

 

Developing Custom Controls in C# with Smart Device Extensions

 

<http://msdn.microsoft.com/library/en-us/dncenet/html/customctrlssde.asp?frame=true>

 

Chapter 4: Graphics

 

Creating a Microsoft .NET Compact Framework-based Animation Control

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/animationcontrol.asp?frame=true>

 

Chapter 5: Files and Directories

 

Working with files on Smartphone devices with the .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/SPFiles.asp?frame=true>

 

Chapter 6: Mobile Web Services

 

Consuming Web Services with the Microsoft .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfwebservices.asp?frame=true>

 

Chapter 7: Working with Unmanaged Code

 

Accessing Phone APIs from the Microsoft .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfphoneapi.asp?frame=true>

 

Advanced P/Invoke on the Microsoft .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfadvinterop.asp?frame=true>

 

An Introduction to P/Invoke and Marshaling on the Microsoft .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfintrointerp.asp?frame=true>

 

Creating a P/Invoke Library

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/PInvokeLib.asp?frame=true>

 

P/Invoking Serial APIs in the Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/PISAPICF.asp?frame=true>

 

Using dumpbin.exe as an Aid for Declaring P/Invokes

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfdumpbinpinvoke.asp?frame=true>

 

Chapter 8: Deploying Smartphone Application

 

Deployment Patterns for Microsoft .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/DeploymentPatterns.asp?frame=true>

 

Smartphone 2003 Application Deployment Demystified

 

<http://msdn.microsoft.com/library/en-us/dnsmtphn2k3/html/sp_2003_app_deploy_demyst.asp?frame=true>

 

Chapter 9: Interoperability

 

Connecting Microsoft Mobile Devices to Java Infrastructures

 

<http://www.sys-con.com/story/?storyid=47342&DE=1>

 

Architecting Disconnected Mobile Applications Using a Service Oriented Architecture

 

<http://msdn.microsoft.com/library/en-us/dnppc2k3/html/develop_disconnect_mob_apps.asp?frame=true>

 

Chapter 10: Game Programming with Smartphone

 

Games Programming with Cheese: Part One

 

<http://msdn.microsoft.com/library/en-us/dnsmtphn2k3/html/gamesprogwithcheese.asp?frame=true>

 

Games Programming with Cheese: Part Two

 

<http://msdn.microsoft.com/library/en-us/dnsmtphn2k3/html/playingthegame.asp?frame=true>

 

Games Programming with Cheese: Part Three

 

<http://msdn.microsoft.com/library/en-us/dnsmtphn2k3/html/completingthegame.asp?frame=true>

 

Games Programming with Cheese: Part Four

 

<http://msdn.microsoft.com/library/en-us/dnsmtphn2k3/html/agameapplication.asp?frame=true>

 

Chapter 11: Advanced Topics

 

Security:

A Practical Guide to the Smartphone Application Security and Code Signing Model for Developers

 

<http://msdn.microsoft.com/library/en-us/dnsmtphn2k3/html/smartphone_security.asp?frame=true>

 

Sending and Receiving SMS Messages:

Receiving SMS Messages Inside a Managed Application

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/ReceivingSMSMessages.asp?frame=true>

 

Sending SMSs from your Microsoft .NET Compact Framework-based Applications

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfsendsms.asp?frame=true>

 

Debugging:

Microsoft .NET Compact Framework Debugging

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/CompactFXDebug.asp?frame=true>

 

Performance:

An Overview of the .Net Compact Framework Garbage Collector

 

<http://weblogs.asp.net/stevenpr/archive/2004/07/26/197254.aspx>

 

Microsoft .NET Compact Framework Multi-threading Tips

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfmultithreadedapp.asp?frame=true>

 

Microsoft .NET Compact Framework Background Processing Techniques

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/BackgroundProcess.asp?frame=true>

 

Improving Microsoft .NET Compact Framework-based Application Form Load Performance

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfimproveformloadperf.asp?frame=true>

 

Developing Well Performing .NET Compact Framework Applications

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/netcfperf.asp?frame=true>

 

.Net Compact Framework Advanced Memory Management

 

<http://weblogs.asp.net/mikezintel/archive/2004/12/08/278153.aspx>

 

Miscellaneous:

Creating Self-Updating Applications With the .NET Compact Framework

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/AutoUpdater.asp?frame=true>

 

Improving .NET Compact Framework HTTP Communications using HttpWebRequest and Custom ASP.NET Providers

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/httpcomm.asp?frame=true>

 

Connecting a Smartphone 2003 Application to a Remoting Infrastructure

 

<http://www.devx.com/dotnet/article/22460>

 

.NET Compact Framework Mobile Web Server Architecture

 

<http://msdn.microsoft.com/library/en-us/dnnetcomp/html/NETCFMA.asp?frame=true>

 

Chapter 12: What's Next

 

What's New in the .NET Compact Framework 2.0

 

<http://msdn2.microsoft.com/library/ws1c3xeh.aspx>

 

 

Other Resources (Links gathered from comments)

Pragmatic Smartphone Application Hints and Tricks:
http://homepages.inspire.net.nz/~gambit/Article/

Programming Smartphone 2002/2003/SE with Embedded Visual Basic (eVB):
http://www.omnisoft.com/articles/spevb/default.asp

Smartphone "Tip-o-the-Day"
http://spaces.msn.com/members/lesgainous/