Security & Silverlight

Yes, am mentioning about Security at Silverlight applications. Well, most of the developers think that Security is not the feature of the application. and they claim that it is the responsibility of the framework on which they are developing, be it as .net or java or any other. Thus, they don’t even worry about why security should be the core of any application and it should be given prime attention.

Microsoft has an initiative towards security with in any software development life cycle. This initiative is known as SDL, Security Development Lifecycle. Their definition of SDL is neatly designed as displayed.

And also they have released a security guidance document for writing and deploying Silverlight Application. The document can be downloaded from this link. The TOC is some thing like this

Threat Modeling and the Security Development Lifecycle

Background of Web Security

Same-Origin Policy

Cross-Site Scripting Attacks

Cross-Site Request Forgeries (CSRF)

A CSRF Mitigation: Nonces

Silverlight and Web Security

Changes from version 1.0 to version 2.0

How Silverlight Works

XAML

XAPs.

The Silverlight Sandbox

EnableHtmlAccess

ExternalCallersFromCrossDomain

Silverlight Networking

Cross-Domain Policy Files

How to Maximize Safety of Cross-Domain Access

Trusting Third-Party Domains

LANs and Security Zones

Internet Explorer and the XDomainRequest Object

Sockets

FAQ

How can I safely display a Silverlight ad on my Web site?

Is it safe to load arbitrary XAML in my Web page?

Is it safe to load arbitrary XAML from managed code?

Is it safe to display arbitrary media in XAML?

Is it safe to allow users to upload arbitrary XAPs to my Web site?

How can I tell if a file is a Silverlight application?

Is it safe to render XAML or run XAPs on my server?

How can I make sure my XAP is loaded only from a specific domain?

Is it safe to hide secrets in my XAP?

Does the PasswordBox control protect the password in memory?

Where can I find documentation for these features and APIs?

Comments

Post a Comment

Popular posts from this blog

Network Intrusion Detection using Supervised ML technique

Declaimer This is my initial version of the synopsis for PhD studies. There are plenty of things that i have to complete before i prepare the final version. Thus, this would be the alpha version. Due to the length of the blog post, will not be posting the entire draft. 1.Title of the thesis Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection 2.Introduction Intrusion Detection System, IDS, is a development which improve the network security and defending the information of the association. The IDS encourage the network chairman to recognize any malicious action on the network and alarms the executive to get the information made sure about by taking the appropriate activities against those attacks. An intrusion alludes to any unauthorized access or malicious usage of data assets. An intruder or an attacker is a true element that attempts to discover a way to increase unauthorized access to data, causes hurt or take part in different...
Read more

ASP.NET Page Life Cycle

Image
Most of the ASP.NET developers ignore the page life cycle. They dig only when it is a trouble shooting situation or fixing a bug or as part of a rescue mission. For all those developers, there is an article that explains in detail about ASP.NET v4 page life cycle. Click here to read more in detail. But a picture is worth more than 1000 words. So is this. Isn’t it??
Read more

Is Architecture = Design of the application

Image
Today morning, I’ve attended an interview with one of the prestigious companies of the world. It doesn’t matter what company is that, but all that matters is the significant means of the questions and the replies by me. I can’t post the entire dialogue questions here, but what I can point here is the gist of the interview. The position is for an architect, who would be working extensively for various stages of the project and should also play the managerial role. Isn’t it asking too much for a given role? Well, in Indian companies, there is no real means of Architect. He is just like any other Manager, but doing the technology stuff as well. Anyhow, that’s a different thread of discussion all together, but for the current purpose, let me concentrate on an idle situation, where an Architect is an Architect and manager is manager. The interviewer concentrating on the design guidelines and seeking answers for standard questions. Sometime back I’ve written about the common mistakes that ...
Read more