on November 12, 2003
Well, well, well, the Micro$oft Press is publishing a book on seure coding best practices. Sort of seems ironic doesn't it? After all, this is the same company that sells an operaing system that has new holes popping up every day. Micro$oft should start a new online forum called the "hole of the week club." THIS IS NOT A COMPANY THAT PRACTICES WHAT IT PREACHES.
Bill Gates initially tried to downplay security holes as exceptions to the rule. Make no mistake about it, these are not exceptions to the rule; these holes pop up every day in dozens of places. Security problems are business as usual at Micro$oft. They don't really care, as long as the public keeps buying new releases.
A while back, Micro$oft made a big deal out of cramming all of their developers into an auditorium for several hours scolding. I know, I was there in the back row trying to hear what the suits were saying at the lectern. The sound system was a disaster.
Security is not something that can happen overnight. In fact, with a 50+ million-line code base, it would take years of source code auditing and proactive inspection to tighten up Windows. Micro$oft would literally have to freeze development for the next decade. We all know that this will never happen. Bill Gates, and his handy lightning rod Steve Balmer, are too busy packing in new features. This only serves to increase the already prolific stream of security flaws.
In light of Micro$soft's achilles heel, this book is not what it seems. The truth is, Micro$oft is run by a bunch of HYPOCRITES! They somehow hope that by publishing a book on secure coding that they will give the public the impression that Robert Short and Dave Cutler are "serious" about security. It's all a bunch of fluff and marketing hype. Take it from an insider. The system is so big that we've lost R&D engineers who took a wrong turn while wandering around the Kernel.
When will this madness end? Probably when large corporations and federal agencies threaten to sue Micro$oft. Eventually, it will get to the point where Windows will put our national security at risk (if it already doesn't) and the legislators will start making noise about liability laws. Windows is big business, and the people running the show won't makes changes until they become financially salient.
I hope you're listening Mr. Gates, it's time to change your prioritites and business process. Before it's too late...
on December 13, 2003
However, this is overall a good book on the subject.
While MS may not seem like the best source for security information, this really is a good book. Unlike the person ranting in another review, I personally don't care whether Bill Gates and MS is good or evil, or whether the security initiative at MS is a hoax or an honest effort. I care if this book can help me create a better, more secure ASP.NET application. And in that is is a success.
4 stars rather than 5 because the book is a little dry, and not exactly a page turner. However, there are things in here (like the section on hashing passwords) that will really make a difference in the security of your application.
on January 7, 2004
I agree with most of the reviews on this page. Regardless of Microsoft's current/past practices (which have absolutely nothing to do with the credibility of THIS book), it gives a good background on security in many situations. The part I found most helpful were the 'How To's' sections. There are good real world examples that are straight to the point and easy to comprehend. I code in C# w/SQL Server and all examples in this book use that combination; PERFECT FIT!
I would of bought this book just for the 'How To's' on hashing passwords and implementing roles with IPrincipal.
on December 1, 2003
The Patterns and Practices Series represents the bridge between known best practices and applications. Busy application developers are frequently tasked with building complex and secure system, and at the same time, are required to operate with limited resources and time. This series, and ASP.NET Security specifically, give good prescriptive guidance for a large number of common application scenarios. The how-to sections are exceeding valuable. Check out other books in this series and you will find lots of good guidance to jump start development on the MS platform.