How secure is our source code?

[John]

Hi

With the availability of tools like this;

http://www.remotesoft.com/salamander/

1. How safe is the source of .net apps?

2. Is MS using .net to write any of their apps? If so, presumably anyone
would be able to decompile them into equivalent source?!

Regards

 

[William Ryan]

By Safe, what do you mean? through reflection, the contents of code can be
easily examined unless it's obscured. In that sense, it's not safe at all.
However, you can define security policy for instance and exert tremendous
amount of control over how your app runs, where it runs etc. Since .NET is
in a managed environment, there are all sorts of other things that make it
more secure...no more buffer overflows for instance.

Lax coding practices make code insecure, not .NET. You can write insecure
code with any language and people do. If you understand how the framework
works, you can take measures to protect from whatever threats you perceive
to be there.

HTH,

Bill

 

[Tom Leylan]

By Safe, what do you mean?

He's generally referring to the inherent nature of IL-based languages to be
turned back into source. The exact same issues were brought up when Java
was released. Code obfuscators were devised, there are probably some for
..Net already.

 

[Tom Shelton]

He's generally referring to the inherent nature of IL-based languages to be
turned back into source. The exact same issues were brought up when Java
was released. Code obfuscators were devised, there are probably some for
.Net already.

Dotfuscator community edition ships with VS.NET 2003... They also have
a full blown commercial product and there are a couple of other
commercial obfuscators - like the one from Remotesoft, Salamander .NET
Obfuscator...

 

[William Ryan]

Yep, I was just trying to make a point that 'secure' code has many different
facets to it. As for obfuscators... we just got Salamander and it's pretty
darned cool.

 

[Tom Shelton]

Yep, I was just trying to make a point that 'secure' code has many different
facets to it. As for obfuscators... we just got Salamander and it's pretty
darned cool.

Do they have an evalution version yet? I've sorely wanted to try that
one out. If it lives up to it's promises I think it would be something
that my company would be interested in - but I am sure they would want
to play with it a little before taking the plunge. As it is, if we buy
one it will be the full Dotfuscator - simply because the free version
ships with VS.NET.

 

[Fergus Cooney]

Sorry to butt in guys - nothing to do with Salamanders or anything.

Hi Bill,

I saw your post and sent off a reply but I'm having problems with that
group - posts don't appear and so I repost and they still don't appear. I sent
several copies of a message to Steve and none have appeared in my OE (nor his
reply) but have on Google. I don't know if you can see my reply to you and
another (plus a re-post) to Scorpion. That's one hell of a twilight zone over
there.

Regards,
Fergus

 

[PreTech]

Hi John,

Microsoft is using Dotfuscator Professional Edition to protect the
..NET apps they want to protect against reverse engineering. A lite
version of Dotfuscator is included in VS.NET and PreEmptive is working
closely with Microsoft to set new standards in .NET obfuscation.

For more information see:

http://preemptive.com/dotfuscator/

Best Regards,
The Dotfuscator Team