Monday, December 13, 2004

Access Modifiers Internals (Excerpt from mail - Courtesy Jeff Atkins)

The public and private keywords specify access at the individual class level.

Comparing Access Levels
It is important to realize that internal access is different from public or private access:
· Public access is logical.
The physical deployment of a public class (or a public class member) does not affect its accessibility. Regardless of how you deploy a public class, it remains public.
· Private access is also logical.
The physical deployment of a private class (or a private class member) does not affect its accessibility. Regardless of how you deploy a private class, it remains private.
· Internal access is physical.
The physical deployment of an internal class (or an internal class member) does affect its accessibility. You can deploy an internal class directly in an executable file. In this case, the internal class is visible only to its containing compilation unit. Alternatively, you can deploy an internal class in an assembly. You can share this assembly between several executable files, but internal access is still limited to the assembly. If an executable file uses several assemblies, each assembly has its own internal access.
Comparing Internal Access to Friendship
In languages such as C++ and Visual Basic, (though I've never tried my hand at C++) you can use friendship to grant to the private members of one class access to another class. If class A grants friendship to class B, the methods of class B can access the private members of class A. Such friendship creates a strong dependency from B to A. In some ways, the dependency is even stronger than inheritance. After all, if B were derived from A instead, it would not have access to the private members of A. To counteract this strong dependency, friendship has a few built-in safety restrictions:
·Friendship is closed.
If X needs to access the private members of Y, it cannot grant itself friendship to Y. In this case, only Y can grant friendship to X.
·Friendship is not reflexive.
If X is a friend of Y, that does not mean that Y is automatically a friend of X.
Internal access is different from friendship:
·Internal access is open.
You can compile a C# class (in a source file) into a module and then add the module to an assembly. In this way, a class can grant itself access to the internals of the assembly that other classes have made available.
·Internal access is reflexive.
If X has access to the internals of Y, then Y has access to the internals of X. Note also that X and Y must be in the same assembly.

Sunday, December 05, 2004

My Upcoming News: Security Article - This week end

Just now geared myself to start on a article about - what makes it way to build :- write code for secure applications.

Following would be brief synopsis about the same.

- Why should we go for secure systems: An overview about un-secure applications, and potential harms.
- Design considerations for n-tier application: Design a secure application:- About Secure Development life Cycle, Threat Models/DREAD
- Secure n-tier environment: Secure Web Server, Application Server, Database Server, and client machine. (machine-level security)
- Write Secure Code: Write (Validations, SQL Injections, buffer overruns, caching, sessions, HTML encoding, encryption/decryption, choosing Data Types, cannocalization), verify (FxCop, code-reviews) and test (Security test Cases) .
- Tools and Techniques for Secure Application: MBSA, IIS Lock Down, URL Scanner and Threat Model hints.
- Future for secure initiative: Leverage secure initiative, and make bad guys feel more insecure.

Friday, December 03, 2004

Questions, Questions and how to Question..

Had any experience in handling questions from audience ? That seems a pretty cool idea, but often happens, for an expert speaker that he misses bulls eye by narrow.
Just completed giving training in Security aspects for coding, and here are the few questions that were to handle... simple and sweet !!!

1. When to go for a method and for property ?
A: If you have implementation pretty much simpler, and seeking control over member variables, go for a property. Though property internally has get and set, why all OOPS is about.
On contrast, if implementaion is turning to be complex dataconnections, dataset manipulations, taking more than one parameter then go for a method.

2. Why do you go for both validations (client and server), when you know that every thing has to come from server ?
A: Do you need to waste time for simple mistake at client. That is for ever error, you want server to respond... Also, if client has browser unsupported for validations script, which was not available while shipping your application, then server should take up the job.