First Looks

Test Code-Access Security

CAS/Tester from Desaware runs your application through an automated test suite that assesses and reports on your app's code-access security.

Test Code-Access Security

Posted March 15, 2004

Programming security is one of the harder development tasks. .NET creates fairly secure code by default, but code-access security (CAS) can be difficult to implement correctly and to verify. Desaware's CAS/Tester, an automated test suite that explores the security fragilities of .NET code, can help you meet this challenge. Think of it as unit testing for CAS.

Like other Desaware products, CAS/Tester is well designed. It loads the assembly you specify through a gamut of tests. More than 80 tests come with the product, and you can add more. Most tests remove one or more .NET permissions from your code and check whether the code raises any exceptions in response. For example, a test checks to see if code that uses the disk file system will fail without the read/write permission. If your code properly demands this permission and fails gracefully without it, it passes the test. If it raises an exception, you've found a CAS issue.

CAS/Tester includes command-line, VS.NET add-in, and standalone-launcher interfaces. The command-line version is useful for including CAS tests in your build suite, and the XML output reports allow automated analysis. The VS.NET add-in runs the standalone launcher but opens windows in the IDE to present reports. Unfortunately, it doesn't list assemblies from the current project automatically for easy selection.

To run CAS/Tester, you specify an assembly or executable to test and either a specific object to test or a test script to run. If you select an object, you can test all methods or a single function. Testing one function is useful if you build test functions into the object; this lets you test far more deeply than CAS/Tester can as an external application. You can also specify whether to run all the default tests or only a selected test, include optional command-line parameters, and set the timeouts for application startup and test duration.

You can go beyond generic testing and write reusable test scripts (in any .NET language) to build your own test harness, which you can incorporate into other test suites. You must understand how CAS works in order to write scripts, then implement a simple interface for CAS/Tester to hook into.

CAS/Tester outputs the test results as XML, providing an Extensible Stylesheet Language Transformations (XSLT) template that displays the XML file as a nicely formatted HTML Web page. The report includes the test's details and options, sections for any test-script errors and test-setup errors, a summary of test results, and detailed results of each test (see Figure 1). The results include a stack trace, so you can locate problems in your code easily.

.NET gives you all the tools to write rock-solid code, but at the cost of complexity. CAS/Tester lets you test your application thoroughly so that you know it can run in a variety of security contexts.

Phone: 408-377-4770
Price: $399
Quick Facts: Automated code-access security (CAS) testing tool.
Pros: Simple, effective interface; flexible options for any internal and external tests; reports that help pinpoint problems.
Cons: Effective use requires an understanding of CAS.

About the Author
Don Kiely is a senior technology consultant. When he isn't writing software, he's writing about it, speaking about it at conferences, and training developers in it. Reach him at [email protected].

Control Your Installs

Posted March 15, 2004

InstallShield Express gives you the tools to create professional, flexible installation packages. The polished installations you can create with this product give your applications' users numerous safe configuration options (see Figure 1).

InstallShield Express' capabilities are abundant. It especially shines in helping you secure your applications. Express allows you to set up serial-number verification, and it has built-in support for digital certificates. It lets you create update installations as patches rather than full reinstalls. Patches are usually smaller installations that are ideal for Internet distribution. They help ensure that users have performed an original install prior to applying the update.

Express allows you to define Registry keys and file locations, set up ODBC entries, select INI file changes, designate virtual directories, and define environment variables. It also lets you register file extensions for your application. If your application saves data in files with a particular extension, it'll start automatically when the user double-clicks on any file with that extension. Express does a solid job of working with dependencies by automatically selecting the dependencies it can discover and allowing you to add others as needed. All these features give you full control of your product's configuration requirements.

One of Express' strongest capabilities is its support for conditional features. Conditional features allow you to break a complex installation into multiple parts. You can use conditional features to build a single package that supports a partial installation of your product. For example, suppose your users want to install your app's reporting modules on some desktops and the data-entry modules on others. You can create a single installation that provides this flexibility.

InstallShield Express also lets you define advertising billboards that display during installation, and it provides a set of standard dialogs for different installation activities. It has support for installations in different languages. All these features come with a GUI that provides a wizard for step-by-step installation development, and a treeview of your installation for less-structured access. InstallShield can also integrate directly into VS.NET.

You'll find InstallShield's support staff to be responsive and knowledgeable. Some installations' requirements go beyond InstallShield Express' capabilities. You might need to look at InstallShield DevStudio or another installation product if you want to define custom dialogs and have greater control of your installation's flow. However, Express should meet most of your installation requirements.

InstallShield Express 5
InstallShield Software
Phone: 800-809-5659
Price: $349
Quick Facts: Quick yet flexible tool for building application installs.
Pros: Integrates with .NET and the Windows Installer; handles multifeature installs; has a nice UI.
Cons: Doesn't handle custom dialogs.

About the Author
Andy Clark is a consultant with iGate Inc. in the Richmond, Va., area. He holds PMP, MCSD, and SJCP certifications. Reach him at [email protected].

Secure File Uploads

Posted March 15, 2004

SoftArtisans' FileUp Enterprise Edition (FileUpEE) provides industrial-strength, secure file uploads and downloads between a Web browser and Internet Information Services (IIS). Version 5 offers a streamed, three-tier capability: When a client uploads a file to the Web server, FileUpEE streams the file immediately to your unexposed, secure storage server; the complete file never exists on disk or in memory on the Web site (see Figure 1). The software uses firewall-friendly Simple Object Access Protocol (SOAP) requests with attachments for its transfers. A client-side object allows users to resume failed uploads.

The setup kit for FileUpEE is a model for other Web server software. In a few clicks, it installs the components with a rich array of samples, sets up new ASP.NET applications, and maps its own UPLX extension. The Samples menu item lets you run the valuable Quick Start demonstrations on your localhost and view the source code (in VB.NET and C#) for the Web pages. The demonstration capabilities range from a simple two-tier upload to the three-tier resumable upload.

FileUpEE's HttpModule intercepts requests for the UPLX extension as a way of bypassing ASP.NET's size and memory limitations. FileUpEE is easy to configure when you control all the hardware in the chain. However, putting it on an ISP's server presents challenges. A big disappointment is that the critical components aren't pure .NET assemblies. You can't simply copy them into the site's /Bin directory and reference them in your ASP.NET code. Instead, you need administrator rights to register them using regsvr32. Some performance settings even require access to Registry keys.

The documentation (in standalone HTML Help format) is adequate and well organized. Differences in the software's capabilities from IIS 5 to IIS 6 could be made clearer, and security precautions should be more prominent. It would also be nice if the object-model reference were integrated into the VS.NET environment.

According to its license agreement, FileUpEE transmits your username, computer name, domain name, IP address, and CPU count during installation. SoftArtisans should be up front about this by showing you the precise data it's about to send.

This excellent enterprise product advances file-transfer technology by providing robust and secure HTTP transfers. It does carry an enterprise price tag—a consideration for Web farm operators with multiple-processor machines.

FileUp Enterprise Edition 5.0
Phone: 877-763-8278
Price: Call for pricing.
Quick Facts: File upload and download component for IIS and back-end systems.
Pros: Excellent installation and samples; streamed three-tier upload capability; resumable uploads; secure transfers across firewalls.
Cons: Unmanaged components defeat ASP.NET deployment simplicity; might transmit user and computer information silently to SoftArtisans; pricey.

About the Author
Ken Cox is a VB.NET developer in Toronto building e-commerce Web applications and XML Web services. Ken is a Microsoft MVP for ASP.NET and a former broadcast journalist. Reach him at [email protected].

Build Web Sites Visually

Posted March 15, 2004

The Visual Welder add-in for VS.NET gives you a visual representation of your entire Web site as you construct it. It takes the approach that each part of your site is independent and has its own business logic and database tables. You "assemble" these parts as you see fit, using RAD methodologies. Visual Welder supports SQL Server 7, SQL Server 2000, Oracle 8i, and Oracle 9i. It generates ASP.NET and VB.NET source code, and a C# version is in the works. You need IIS to display your finished Web sites.

Visual Welder gives you multiple "views." You can accomplish the same functionality with either the Parts viewer or the Spatial Editor. You'll be comfortable with the Parts viewer if you're familiar with VS.NET's Solution Explorer or Class View. The Spatial Editor requires a small learning curve, because it provides a different way of writing code: You build your application visually in the Spatial Editor, and Visual Welder generates the code automatically in the background. You should be able to build a basic Web site that binds to a SQL Server 2000 database fairly quickly (see Figure 1). Visual Welder generates the database automatically after you create a few parts. You don't need to write a single line of code to be able to add and modify your data.

You can also import an already existing database and make a Visual Welder project with it. Visual Welder creates a part for each table and also sets the appropriate relationships between the parts, based on the tables' foreign keys. Then, you can click on each part in the Spatial Editor, view the source code, and add business logic.

Visual Welder's installation is quick and easy, with one exception. The product requires DirectX 9.0 in order to render a 3-D view of the application you're building. You need to use the "/installmanageddx" option when you run the DirectX setup executable, a requirement that isn't immediately obvious.

The documentation includes some helpful interactive tutorials, but they do cause some minor frustrations. A "Back" button would help for times when you might get out of step, and it would be nice if you could print out the steps. The tutorials also take up valuable screen real estate.

Visual Welder will help you if you want to build your Web application visually using a parts-assembly paradigm. Once you've passed the product's learning curve, you can save some time, especially with database generation and bindings—often the most time-consuming aspects of application development. This tool can get you up and running quickly, whether you're a novice or an experienced Web developer.

Visual Welder 2.0
Phone: 201-242-1522
Pricing: $495
Quick Facts: Lets you generate your Web site and databases visually; interactive tutorials; integrates with VS.NET.
Pros: Makes seeing overall site layout easy; speeds implementation of database functionality; can import existing databases.
Cons: Doesn't generate C# code; tutorials can get out of step.

About the Author
David Mack is a technical lead for the National Intelligence Division of Titan Systems and an independent consultant. He has more than 10 years of experience in OOP. Reach him at [email protected].

comments powered by Disqus
Most   Popular