The users rights are checked and the rights the code are checked

One of the biggest security problems you’ll face is the balanced coding requirement. Everyone wants a secure application, but they aren’t willing to pay the price to get it. Secure code necessarily uses more resources and runs more slowly (all other things being equal) than nonsecure code. Secure code also introduces reliability problems (the code would rather fail than provide access to an intruder) and is less flexible (it’s less tolerant of hostile environments). It doesn’t matter whether the code fails gracefully when a security problem occurs—all the user sees is that the code has failed. When enough users complain that the secure code you wrote doesn’t allow them to be completely lazy, manage-ment will likely request that you relax the rules. Management will also ask you to rewrite the code when it works too slowly on antiquated equipment or requires too many resources. At some point, all of the competing requirements balance and you have an application that everyone can live with. The result is likely less secure than it should be.

The .NET Framework helps you create code that’s amazingly secure, but generally, that code won’t meet the balance that you need. The question becomes one of how secure you actually need the code to be. For example, you could put your collection of interesting pens from the office in Fort Knox and be assured that the collection is perfectly safe. However, does a pen collection really need that much security? You must answer the level of security question. It’s important to make this decision as part of the design process before you begin writing code. Security only works well when you design the application to use it, rather than bolt it on later.

TIP One of the reasons that users write down passwords is that network administrators insist on

using interesting passwords such as jk$LL12Z# to make life harder for crackers. Unfortunately,

Pink Floyd at 8:00.” This phrase is 39 characters long, includes both uppercase and lowercase let-

ters, and has numbers and special characters, including spaces, which most cracking tools don’t consider today. You can read more about this technique at http://www.pcmag.com/article2/ 0,1759,1736152,00.asp.

Employees on the road or recently let go from the company can cause a great deal of harm to your applications. The problem is twofold:

◆ Using the old Windows security system, an application might execute at the same privilege level whether the employee accesses it from a desktop or from a remote location. The .NET Framework considers this issue by adjusting the rights of an application based on the zone in which it executes.