Secure Coding Guidelines

Evidence-based security policy and code access security provide very powerful, explicit mechanisms to implement security. Most application code can simply use the infrastructure implemented by the .NET Framework. In some cases, additional application-specific security is required, built either by extending the security system or by using new ad hoc methods.

Using the .NET Framework-enforced permissions, and other enforcement in your code, you should erect barriers to prevent malicious code from obtaining information that you do not want it to have or performing other undesirable actions. Additionally, you must strike a balance between security and usability in all the expected scenarios using trusted code.

In This Section

• Secure Coding Overview
  Provides an overview of basic secure coding techniques.

• Permission Requests
  Describes how to interact with the .NET Framework security system using security requests.

• Securing State Data
  Describes how to protect private members.

• Securing Method Access
  Describes how to help protect methods from being called by partially trusted code.

• Securing Wrapper Code
  Describes security concerns for code that wraps other code.

• Security and Public Read-only Array Fields
  Describes security concerns for code that uses public read-only arrays found in .NET libraries.

• Securing Exception Handling
  Describes security concerns for handling exceptions.

• Security and User Input
  Describes security concerns for applications that accept user input.

• Security and Remoting Considerations
  Describes security concerns for applications that communicate across application domains.

• Security and Serialization
  Describes security concerns when serializing objects.

• Security and Race Conditions
  Describes how to avoid race conditions in your code.

• Security and On-the-Fly Code Generation
  Describes security concerns for applications that generate dynamic code.

• Dangerous Permissions and Policy Administration
  Describes permissions that can potentially allow security to be circumvented.

• Security and Setup Issues
  Describes considerations for testing and setup of your application.

• How to: Run Partially Trusted Code in a Sandbox
  Explains how to run a partially trusted application in a restricted security environment, which limits the code access permissions granted to it.

Related Sections

• Securing ASP.NET Web Applications
  Describes ASP.NET security in detail and provides instructions for using it in your code.

• Code Access Security
  Describes .NET Framework code access security in detail and provides instructions for using it in your code.

• Role-Based Security
  Describes .NET Framework role-based security in detail and provides instructions for using it in your code.

• Security Policy Management
  Describes the .NET Framework security policy model.