The .NET Developer s Guide to Windows Security
Keith Brown is the current go-to guy for .NET security programming issues, and his book The.NET Developer s Guide to Windows Security provides ample evidence about why he has that reputation. I ve already added this book to my list of required reading for any serious .NET developer.
But first, a word of warning: Don t do as I did and see .NET and Security in the title and mentally prepare for a book about code access security, the System.Security namespace, and CLR security issues. Although all that is lightly covered, this is not a book about .NET security programming. It is, however, a book about Windows security and how to understand and cope with Win32 security issues from a .NET perspective. This focus makes it a unique offering and a valuable resource indeed.
Another thing that makes the book unique is its structure. It consists of 75 of what the author calls items, short essays (typically two to four pages) that cover a single concept, and organized into six parts. Reading the book from front to back as I did works, but you can also jump around to the topics that interest you most. There is plenty of cross-referencing to related items, so it s easy to read on a thread of interest.
Best of all, the author writes clearly and has a knack for explaining complex concepts well. That certainly doesn t mean that the book is always an easy read, particularly if the reader doesn t have a minimum level of understanding of how Win32 and its security objects work. That keeps me from recommending this book as a first introduction to the topic, but if you re willing to read items through a couple of times and then go off and do your own research, you ll get full benefit from the book.
Part I, The Big Picture, showcases the author s strengths and is probably the best section in the book. Here you ll find items that cover threat modeling, security principles (such as defense in depth), and my personal favorite topic, running and developing code as a least privilege user.
Then the author takes off the kid gloves and dives into Windows security with a vengeance. Part II, Security Context, delves into SIDs, tokens, and other Windows security objects and concepts. If you re like me, your reading pace will slow here as you assimilate some difficult and obscure security topics. The remaining parts in the book continue in like fashion, covering access control, COM(+) and EnterpriseServices, network security, and miscellaneous topics.
This is a conceptual book to help the reader understand the big picture of narrow concepts; it is not code-intense. What code is there is mostly C# and C++; all of the samples are short and simple enough that they should be understandable by programmers in any language.
In a slightly bizarre twist on Steal This Book!, the entire book is available online at http://pluralsight.com/wiki/default.aspx/Keith.GuideBook.HomePage. The author posted each item as he finished it over the last year or so, thus whetting readers appetites. You can sample what you want and then buy a copy online, or read it all online. Please buy a copy, both, as the author says, to support his family and his publisher, as well as because this is a great book to read short sections of when you have a few minutes offline (yes, for that reason it is a great bathroom book!).
Even if you re a developer who thinks you don t care about security, I highly recommend you get this book because Windows security will assuredly bite you in the butt sometime, and this book will help you through the crisis.
Title: The .NET Developer s Guide to Windows Security
Author: Keith Brown
Publisher: Addison-Wesley Professional
Web Site: http://www.awprofessional.com
Page Count: 408 pages