随着应用安全性逐渐受到重视,这方面的书籍也越来越多,刚刚整理了一下自己手头关于.NET安全编程方面的书,发现有几本还是很不错的,顺便推荐一把。
O'Reilly 的书始终是有品质保障的,Programming .NET Security也非常不错,amazon上4.5星评价。虽然从销售量来看好像不如其他几本,但从我购买的十几本 O'Reilly 书籍的平均水平来看,肯定还是值得一读的。
从内容上,全书700多页分为5部分,原理、安全、加密、框架和手册,覆盖面还是很全的,而且结构设置比较合理,有大局观,比较适合开发人员阅读、查阅。
以下为引用:
Programming .NET Security
By Adam Freeman, Allen Jones
Publisher : O'Reilly
Pub Date : June 2003
ISBN : 0-596-00442-7
Pages : 714With the spread of web-enabled desktop clients and web-server based applications, developers can no longer afford to treat security as an afterthought. It's one topic, in fact, that .NET forces you to address, since Microsoft has placed security-related features at the core of the .NET Framework. Yet, because a developer's carelessness or lack of experience can still allow a program to be used in an unintended way, Programming .NET Security shows you how the various tools will help you write secure applications.
Part I: Fundamentals
Discusses the need for security and the approaches to adopt when developing secure software. These chapters also discuss assemblies and application domains—two fundamental building blocks of .NET applications that play a crucial role in the creation of secure software:
Chapter 1. Security Fundamentals
Chapter 2. Assemblies
Chapter 3. Application Domains
Chapter 4. The Lifetime of a Secure ApplicationPart II: .NET Security
Contains information about the security-related features provides by the .NET runtime. These chapters describe how the runtim enforces application security and how you can manipulate, customize, and extend runtime security to meet your own security requirements:
Chapter 5. Introduction to Runtime Security
Chapter 6. Evidence and Code Identity
Chapter 7. Permissions
Chapter 8. Security Policy
Chapter 9. Administering Code-Access Security
Chapter 10. Role-Based Security
Chapter 11. Isolated StoragePart III: .NET Cryptography
Provides a description of modern cryptographic techniques and details the implementation of these techniques provided by the .NET Framework class library. These chapters demonstrate the use of each implementationand show you how to extend the functionality of the .NET class library by implementing your own cryptographic algorithms:
Chapter 12. Introduction to Cryptography
Chapter 13. Hashing Algorithms
Chapter 14. Symmetric Encryption
Chapter 15. Asymmetric Encryption
Chapter 16. Digital Signatures
Chapter 17. Cryptographic KeysPart IV: .NET Application Frameworks
Discusses other aspects of .NET Framework security not specifically related to runtime security of cryptography. These include ASP.NET application security, integration with the security-related features of Enterprise Services (COM+), and the use of the Windows Event Log for recording security events:
Chapter 18. ASP.NET Application Security
Chapter 19. COM+ Security
Chapter 20. The Event Log ServicePart V: API Quick Reference
Provides a quick reference to all types defined in the security-related namespaces of the .NET Framework base clase library:
Chapter 21. How to Use This Quick Reference
Chapter 22. Converting from C# to VB Syntax
Chapter 23. The System.Security Namespace
Chapter 24. The System.Security.Cryptography Namespace
Chapter 25. The System.Security.Cryptography.X509Certificates Namespace
Chapter 26. The System.Security.Cryptography.Xml Namespace
Chapter 27. The System.Security.Permissions Namespace
Chapter 28. The System.Security.Policy Namespace
Chapter 29. The System.Security.Principal Namespace
Addison Wesley出版的.NET Framework Security 则并不仅仅面向开发人员,因此从原理到配置到编程都有提及,而且有一些其他书籍没有提及的特色章节,例如讨论了Hosting Managed Code时的安全问题等等。Amazon上4星评价,销量是最大的。
以下为引用:
.NET Framework Security
By Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, Rudi Martin, Kevin T. Price
Publisher : Addison Wesley
Pub Date : April 24, 2002
ISBN : 0-672-32184-X
Pages : 816
Slots : 2.NET Framework Security provides the ultimate high-end comprehensive reference to all of the new security features available in .NET. Through extensive code samples and step-by-step walkthroughs of configuration techniques, the reader is taken deep into the world of secure applications. Demonstrations of creating custom procedures and a full explanation of each aspect separate this book from many other "lecture books." Many of the concepts expressed in this book are not only viable in .NET, but on the Internet in general. These factors combined make this the one reference that every developer and system administrator should have.
Part I. Introduction to the .NET Developer Platform Security
Chapter 1. Common Security Problems on the Internet
Chapter 2. Introduction to the Microsoft .NET Developer Platform
Chapter 3. .NET Developer Platform Security SolutionsPart II: Code Access Security Fundamentals
4 User-and Code-Identity–Based Security: Two Complementary Security Paradigms
5 Evidence: Knowing Where Code Comes From
6 Permissions: The Workhorse of Code Access Security
7 Walking the Stack
8 Membership Conditions, Code Groups, and Policy Levels: The Brick and Mortar of Security Policy
9 Understanding the Concepts of Strong Naming Assemblies
10 Hosting Managed Code
11 Verification and Validation: The Backbone of .NET Framework Security
12 Security Through the Lifetime of a Managed Process: Fitting It All TogetherPart III: ASP.NET and Web Services Security Fundamentals
13 Introduction to ASP.NET Security
14 Authentication: Know Who Is Accessing Your Site
15 Authorization: Control Who Is Accessing Your Site
16 Data Transport Integrity: Keeping Data UncorruptedPart IV: .NET Framework Security Administration
17 Introduction: .NET Framework Security and Operating System Security
18 Administering Security Policy Using the .NET Framework Configuration Tool
19 Administering .NET Framework Security Policy Using Scripts and Security APIs
20 Administering an IIS Machine Using ASP.NET
21 Administering Clients for .NET Framework Mobile Code
22 Administering Isolated Storage and Cryptography Settings in the .NET FrameworkPart V: .NET Framework Security for Developers
23 Creating Secure Code: What All .NET Framework Developers Need to Know
24 Architecting a Secure Assembly
25 Implementing a Secure Assembly
26 Testing a Secured Assembly
27 Writing a Secure Web Site Using ASP.NET
28 Writing a Secure Web Application in the .NET Development Platform
29 Writing a Semi-Trusted Application
30 Using Cryptography with the .NET Framework: The Basics
31 Using Cryptography with the .NET Framework: Advanced Topics
32 Using Cryptography with the .NET Framework: Creating and Verifying XML Digital Signatures
Sybex的.NET Development Security Solutions相对来说平和一些,没有太多可圈可点之处,但也算中规中矩。不过好处是有电子工业出版社翻译的中文版《.NET开发安全解决方案应用编程》可以看,呵呵
以下为引用:
.NET Development Security Solutions
by John Paul Mueller ISBN:0782142664
Sybex ? 2003 (471 pages)
This guide leads you through the differences in Studio in the .NET framework that didn't appear in older versions of Visual Studio, helps you understand the new rules for .NET security, and helps you fix problems created by holes in the .NET security.
Part I - Introduction to .NET Security
Chapter 1 - Understanding .NET Security
Chapter 2 - .NET Framework Security Overview
Chapter 3 - Avoiding Common Errors and Traps
Part II - Desktop and LAN Security
Chapter 4 - .NET Role-Based Security Techniques
Chapter 5 - Policies and Code Groups in Detail
Chapter 6 - Validation and Verification Issues
Chapter 7 - .NET Cryptographic Techniques
Chapter 8 - LAN Security Requirements
Part III - Web-based Security
Chapter 9 - Web Server Security
Chapter 10 - Web Data Security
Chapter 11 - Securing XML and Web Services
Part IV - Other Security Topics
Chapter 12 - Active Directory Security
Chapter 13 - Wireless Device Security
Chapter 14 - Win32 API Overview
Chapter 15 - Win32 API Advanced Techniques
Prentice Hall PTR出版的.NET Security and Cryptography一书则较为偏向于.NET架构下的密码学相关的原理和使用,虽然也有提及安全,但显然不是其重点。
以下为引用:
.NET Security and Cryptography
By Peter Thorsteinson, G. Gnana Arun Ganesh
Publisher : Prentice Hall PTR
Pub Date : August 18, 2003
ISBN : 0-131-00851-X
Pages : 496Chapter One. .NET Cryptography and Security
Chapter Two. Fundamentals of Cryptography
Chapter Three. Symmetric Cryptography
Chapter Four. Asymmetric Cryptography
Chapter Five. Digital Signatures
Chapter Six. XML Cryptography
Chapter Seven. .NET User-Based Security
Chapter Eight. .NET Code Access Security
Chapter Nine. ASP.NET Security
Chapter Ten. Web Services Security
此外还有一本清华大学出版社引进的.NET Security Programming,因为手头没有电子版,只能凭其目录和amazon上的评价大概了解,感觉内容有些杂,而且没有太多能够强烈吸引我的章节标题,呵呵。
以下为引用:
原书名: .NET Security Programming
原出版社: John Wiley & sons,Inc.
作者: (美)Donis Marshall
译者: 余波 张立浩
书号: 7-302-07252-3
页码: 238
市场价: ¥35.00
开本: 16开
丛书名:
出版社: 清华大学出版社
出版日期: 2003-10-1
关于ASP.NET安全方面的问题,上述书籍中虽都有提及,但不够详细,不如专门去买本ASP.NET方面的安全书籍来看,这里就不一一列举了。
短期内上述书籍可以从以下地址下载:
Programming .NET Security
.NET Framework Security
.NET Development Security Solutions
.NET Security and Cryptography