ASP.NET VERSIONS: ALL
The Best Security Books for Windows and .NET Development
By Don Kiely
Despite the advances that Microsoft has made over the last few years making Windows more secure, developing secure apps is still really, really hard. Even though the development tools now have built-in features that supposedly make it easier to write secure apps by default, there are still plenty of ways to make bad design and implementation decisions that unnecessarily expose servers and users to risks. Developers these days can use all the help they can get.
I recently asked my fellow Visual Developer - Security MVPs to suggest the very best Windows and .NET security books. That led to a rather interesting discussion, and I got plenty of good suggestions of the good, the bad, and the ugly. I took those suggestions and combined them with my own. The result is the following list. I ve listed them from most general to most targeted, which suggests a good order for reading them to learn about computer security before drilling down into specific development technologies.
Depending on your particular areas of interest, reading these books and having them available for reference will go a long ways toward helping you write secure Windows, .NET, and ASP.NET applications.
Let me know at mailto:[email protected] if I ve missed any good ones!
General Security Topics
Hacking Exposed, Fifth Edition by Stuart McClure, Joel Scambray, and George Kurtz
Osborne, ISBN 0072260815 (http://www.amazon.com/exec/obidos/ASIN/0072260815/general0c-20)
If you don t have a good handle on how attackers devise their clever ways to probe and hack into an operating system, Hacking Exposed is a great way to start learning how a computer hacker thinks. You ll want to read this book at a computer where you can try things as you read in order to get the most out of the book. After a few chapters that discuss strategies for probing a system to identify it and find its weaknesses, the book explores some of the specifics of hacking into various operating systems, networks, and software.
Windows Security and Development
Writing Secure Code, 2nd Edition by Michael Howard and David LeBlanc
Microsoft Press, ISBN 0735617228 (http://www.amazon.com/exec/obidos/ASIN/0735617228/general0c-20)
It should be illegal to write Windows code for any kind of application without first having read, studied, and digested this book. The book was written by the two people most responsible for security initiatives throughout the company. Writing Secure Code is well-written with a good balance of theory and practical applications.
The .NET Developer s Guide to Windows Security by Keith Brown
Addison-Wesley, ISBN 0321228359 (http://www.amazon.com/exec/obidos/ASIN/0321228359/general0c-20)
Despite the .NET in the title, this is really more a book about Windows security than the security features built into .NET. Written prior to the release of .NET 2.0, it covers a good range of Windows security topics as short, easily digestible essays. The author has a gift of explaining complex topics and has filled the book with useful how-tos and various ways of coping with Windows security from .NET applications.
Programming Windows Security by Keith Brown
Addison-Wesley, ISBN 0201604426 (http://www.amazon.com/exec/obidos/ASIN/0201604426/general0c-20)
Although this book was written for Windows 2000, and is getting a bit dated, it is still the best book for learning about the fundamentals of modern Windows security programming. It isn t for the faint of heart however, both because it is intensively dense at times and most of the samples are written using C or C++. But even if you don t want to slog through the whole thing, it can function as a fine reference for when you bump up against a seemingly impossible security issue in Windows. This book goes into more depth than the author s The .NET Developer s Guide to Windows Security, so if you only want to read one I d suggest the Developer s Guide.
MCAD/MCSD Self-Paced Training Kit: Implementing Security for Applications with Microsoft Visual Basic .NET and Microsoft Visual C# .NET by Anthony Northrup
Microsoft Press, ISBN 0735621217 (http://www.amazon.com/exec/obidos/ASIN/0735621217/general0c-20)
I usually think of books written to help pass certification exams as poor references for really learning the material, but this one is a nice reference for .NET security stuff. And it wouldn t hurt to think about taking the exam!
Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow
Wrox, ISBN 0764596985 (http://www.amazon.com/exec/obidos/ASIN/0764596985/general0c-20)
This is one book that I d be scared to develop real-world ASP.NET apps without. Written by a member of the ASP.NET team at Microsoft, it covers just about everything you need to know about ASP.NET security, and not just the cool foundational features listed in the title. It covers a lot of interesting and useful ground in its 600 pages.
Programming .NET Security by Adam Freeman and Allen Jones
O Reilly, ISBN 0596004427 (http://www.amazon.com/exec/obidos/ASIN/0596004427/general0c-20)
This is one of the best overviews of .NET security. The only downside is that it was written for version 1.x of the framework and hasn t, to my knowledge, been updated for .NET 2.0. Nevertheless, it is a great resource for .NET security.
.NET Framework Security by Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, Rudi Martin, and Kevin T. Price
Addison Wesley, ISBN 067232184X (http://www.amazon.com/exec/obidos/ASIN/067232184X/general0c-20)
This book is a bit inconsistent, but it has some of the best material around covering code access security. CAS is one of the tougher features of .NET for developers to get, so even though the rest of the book is inconsistent, the CAS stuff makes it worthwhile.
Hacking the Code: ASP.NET Web Application Security by Mark Burnett
Syngress, ISBN 1932266658 (http://www.amazon.com/exec/obidos/ASIN/1932266658/general0c-20)
I haven t read this one yet, but it comes highly recommended by some of the MVPs. It s on its way from http://www.Bookpool.com, so I ll write more when I receive it.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.