(Ebook) .NET Framework Security by Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, Rudi Martin, Kevin T. Price ISBN 9780672321849, 067232184X

(Ebook) .NET Framework Security by Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, Rudi Martin, Kevin T. Price ISBN 9780672321849, 067232184X

The downside of this book is the material by Kevin T. Price. They delegated the ASP.NET/Web security to him. Much of his work is a cut and paste of the SDK docs. For his examples, he uses the grid layout of ASP.NET, which makes the declarative code completely unreadable. He leaves in all of the code generated by Visual Studio.NET, despite its irrelevance. He spends a great deal of time discussing IIS configuration, which you might argue is not relevant to the subject matter at hand (this should be a very specialized book, and it is everywhere else). He refers us to a code download on the Sam's website - unfortunately, Sam's is not the publisher of this book. He puts in some sample JSP code for no apparent reason, apparently to teach us about diversity in the web environment. When you buy a book on .NET Framework Security, it is probably because you are interested in .NET, and not because you are interested in the web development ecosystem. Finally, his grand finale chapter is on writing a secure web application. All he manages to achieve here is to create a forms auth login page. Even more troubling is the fact that this sample - in a book on *security* - has a glaring SQL Injection Vulnerability. The one thing he creates is completely and disturbingly wrong.

Web developers who buy this book to write more secure applications are likely to end up writing even worse applications by implementing his ideas.

Read this book if you want to learn about CAS. Do not stop at this book if you actually need to write secure web applications - in fact, don't even start here. You're better off sticking with the PAG materials.