ASP.NET, SQL Server, WPF, C#, VB.NET

Unless you've been living in a cave for the past two years, there should be little doubt in your mind that security ranks high on the priority list in the .NET problem space (not to mention most other platforms as well). The vulnerability of our society to terrorism, including cyberterrorism, simply underscores the importance of this subject. Knowlege of security is what really distinguishes the "Real" pro programmers from the "Kinda" pro programmers, in my opinion. As I write this review, the news has come out that over 17,000 boxes running Apache have been infected with the Slapper virus that turns them into DOS "drones", and the potential number of machines that could be infected is as high as 1 million. ( I wonder what those Gartner Gurus are going to say about this one -- you know, the guys that recommended --in no uncertain terms -- that everybody running IIS trash it and switch to webservers like Apache because they "have much better security records than IIS"...)

Yet, many professional developers still think "Security" is something "Sombody Else" is supposed to take care of for them. As professional .NET developers, it's up to us to pay the price of toil and study on security because it is we who will be tasked with the architecture of secure applications -- whether they be ASP.NET, Winforms, Webservices or Remoting based (or some combination).

Authors Bock, Stromquist, Fischer and Smith begin their book with a thorough grounding in the very basics of Cryptography - ciphering, hashes, keys, algorithms and certificates, for starters. I'll bet you can't find any .NET book (and for that matter, few tecnnical books in general) that provide this type of information. What better place to start a tutorial on security than with the mathematical basis for it?

The authors quickly move on to chapters offering a full treatise on the .NET Cryptography classes to encrypting and decrypting data, Symmetric and Asymmetric encryption and on to digital signatures and key - exchange classes. Along the way, you'll learn about x.509 Certificates, serialized objects, and Signed and Sealed Object representations.

Chapter 3 deals with Xml Encryption and Signatures, and while it is unfortunate that the authors do not deal with the WS-Security spec (probably because it simply wasn't that far along when this book was released) their implementations and examples are frighteningly close to how the actual Recommendation turned out.

The book goes on to deal with Code Groups, code access security in .NET, Permissions, and much more. Throughout the book there are numerous working code examples and notes to help the developer who needs to grapple successfully with these various security issues. There is some treatment of IIS Security as well as ASP.NET security including one of the best implementations of how to call the LogonUser API that I have seen.

There is also treatment of the Principal and Identity classes, a chapter on Passport security, some pretty good information on security in the Remoting Framework, and a little bit about code obfuscation. I would have liked to see more information on security in WebServices such as SOAPExtensions, SOAP Headers, and WS-Security examples, especially since the first iteration of the MS WSDK is now out, but as I mentioned previously, I think this book hit the press while the set of WS-Security specs were still "buns in the oven".

All in all, I have to say this is a remarkably concise book and presents a lot of valuable material. Having read and reviewed one of Jason Bock's books, it looks to me like most of this one was really written by Bock. However, since I know little of the other three authors, I'll withhold prejudgement on their contributions. You should note that there are a number of errors in the printed code samples in this book. None are really serious, but for example, if you try to create a new GenericIdentity with "Kerebos" [sic] as the second parameter in the constructor, your compiler is not likely to be very happy. Of course, last time I looked, "Kerberos" wasn't in my spell-checker...

My take on all this? Excellent book. Hopefully just one of the first of a series of quality books on this critically important subject.