The downside of this book is the material by Kevin T. Price. They delegated the ASP.NET/Web security to him. Much of his work is a cut and paste of the SDK docs. For his examples, he uses the grid layout of ASP.NET, which makes the declarative code completely unreadable. He leaves in all of the code generated by Visual Studio.NET, despite its irrelevance. He spends a great deal of time discussing IIS configuration, which you might argue is not relevant to the subject matter at hand (this should be a very specialized book, and it is everywhere else). He refers us to a code download on the Sam's website - unfortunately, Sam's is not the publisher of this book. He puts in some sample JSP code for no apparent reason, apparently to teach us about diversity in the web environment. When you buy a book on .NET Framework Security, it is probably because you are interested in .NET, and not because you are interested in the web development ecosystem. Finally, his grand finale chapter is on writing a secure web application. All he manages to achieve here is to create a forms auth login page. Even more troubling is the fact that this sample - in a book on *security* - has a glaring SQL Injection Vulnerability. The one thing he creates is completely and disturbingly wrong.

Web developers who buy this book to write more secure applications are likely to end up writing even worse applications by implementing his ideas.

Read this book if you want to learn about CAS. Do not stop at this book if you actually need to write secure web applications - in fact, don't even start here. You're better off sticking with the PAG materials.


A great starting point   April 18, 2003
 7 out of 7 found this review helpful

This book is an excellent starting point for understanding the .NET framework security mechanisms. Especially code access security.

Its only real failings are the lack of depth in a few obscure areas (details around simulating permissions that might be granted to an app deployed via the Internet and hosted in IE).

You could glean most of this information from the internet and spend a month doing it, like I did. Or spend $$$ and few hours reading this well written book.


Good Information   April 13, 2003
 5 out of 6 found this review helpful

When I was assigned the task of finding out what .NET security was all about in the web environment, I didn't know what I was getting into. The whole .NET security infrastructure is really a handful. This book helps the reader understand what its all about.

Another thing I like about the book is the fact that it has short chapters. This made it easier for me to read through it with above average speed.


Best security infrastructure book I've read   February 8, 2003
 15 out of 16 found this review helpful

This is the best book about the security infrastructure of Microsoft .NET Framework that I have ever read. This book has brought me the overall picture of the .NET security system: How does the system work and interact with the existing security system on Win NT platform? In addition, the book is clearly written, well- organized, and full of in-depth information.

Overall, I consider this is an excellent book which could satisfy the security needs for all .NET developers and administrators.

This book is divided into five sections:

1. Introduction to the .NET Developer Platform Security:

This section provides an introduction to the .NET Framework platform and all of the new security features available. Although this section describes only brief information, I still recommend that every one should read it first before jumping to the others. The first section "provides common background material for the topic-specific discussions in the remainder of the book."

2. Code Access Security Fundamentals:

This section provides an extensive introduction to Code Access Security, a powerful and surprising code-based security feature shipping in .NET Framework. Many new terminologies are explained: Evidence, Permissions, Stack Walk, Code Groups, Policy Levels, etc.

This section is really difficult. I felt overwhelmed with too many new concepts and skipped it. However, after reading some chapters of the next section, I realized that the code-based security concept is the keystone for the entire security system. I had to come back to section two and read it carefully. Learn from my lesson, you should try to understand it at the first time you read it.

3. ASP.NET and Web Services Security Fundamentals:

This section provides brief information about server-side security features of ASP.NET and Web Services.

4. .NET Framework Security Administration:

This section provides a comprehensive guide to administer .NET Framework security. It shows you when and how to make modifications. Some topics are presented as tutorials. It is very to easy to capture and follow the steps.

5. .NET Framework Security for Developers

The final section is devoted to developers. It provides all needed information to build secure assemblies, web sites, applications, and web services. It also provides an in-depth introduction to the cryptography library shipping in the .NET Framework and to XML digital signatures. For developers who don't have enough time to read the whole book, this is the section that you should spend your time on. -- Review by Trung N.


A dictionary of .Net security terms   December 18, 2002
 10 out of 15 found this review helpful

The book is organized like a dictionary of .Net security terms. It failed to convey the cohesiveness of the security modules. The code fragments are littered like pieces of puzzle that the authors are expected to thread together, but did not.

I didn't find the class API listing useful without implementation context to associate their usage to. Furthermore, the book lacked good editing. It's frustrating to read dangled sentence fragments interwined with code fragments.

The book does not worth its weight. Waste your hard earned money on this book if you believe in you have a telepathy connection to the authors.