Hi all,
i've built a C# dll / component with some wonderful services to the clients
Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
I tried code access security, bu i can only use that on Class level and not
on Assembly level, and i've read that there are ways to work around this kind
of protection.
Do you have any other ways of assuring that my program will be the only one
using the DLL/assembly?
Regards,
Michel
5  1701 
Michel@Voorburg wrote:
i've built a C# dll / component with some wonderful services to the
clients Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
[...]
Do you have any other ways of assuring that my program will be the
only one using the DLL/assembly?
Unless I'm way off on how your system works, I think you're looking at
putting security in the wrong place.
Presumably your DLL performs updates to a database when its methods are
called. If one of the developers has access to update the database via your
DLL, then surely they have access to the database directly as well. Then
they could just modify the database to raise their salary, bypassing your
DLL entirely.
If you secure the database so that other people can't access it, then it
won't matter if they use your DLL as they won't be able to open a database
connection. Database engines have lots of functionality to facilitate
restricted access, unlike DLLs.
Does that help at all?
--
(O)enone
Thanks,
i think i wasn't clear enough on this one...
What i am afraid of is that someone reference my dll on the webserver
somehow..
So they don't have direct access to the webserver or database, but that they
can access the dll via some kind of share on the server...
Michel
"(O)enone" wrote:
Michel@Voorburg wrote:
i've built a C# dll / component with some wonderful services to the
clients Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
[...]
Do you have any other ways of assuring that my program will be the
only one using the DLL/assembly?
Unless I'm way off on how your system works, I think you're looking at
putting security in the wrong place.
Presumably your DLL performs updates to a database when its methods are
called. If one of the developers has access to update the database via your
DLL, then surely they have access to the database directly as well. Then
they could just modify the database to raise their salary, bypassing your
DLL entirely.
If you secure the database so that other people can't access it, then it
won't matter if they use your DLL as they won't be able to open a database
connection. Database engines have lots of functionality to facilitate
restricted access, unlike DLLs.
Does that help at all?
--
(O)enone
A DLL is not an executable. It must be used by an executable. Therefore, if
the DLL accesses the database, it must use a Connection String which
provides the necessary credentials, or it uses Windows Authentication, in
which case it may access the database using the context of the user account
running the application. In either case, another application using the DLL
will not be able to access the database unless you've hard-coded a
Connection String with valid credentials into the DLL itself.
--
HTH,
Kevin Spencer
Microsoft MVP
Printing Components, Email Components,
FTP Client Classes, Enhanced Data Controls, much more.
DSI PrintManager, Miradyne Component Libraries: http://www.miradyne.net
"Delta-N: Herman Greven" <De************ ****@discussion s.microsoft.com >
wrote in message news:52******** *************** ***********@mic rosoft.com...
Thanks,
i think i wasn't clear enough on this one...
What i am afraid of is that someone reference my dll on the webserver
somehow..
So they don't have direct access to the webserver or database, but that
they
can access the dll via some kind of share on the server...
Michel
"(O)enone" wrote:
>Michel@Voorbur g wrote:
i've built a C# dll / component with some wonderful services to the
clients Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
[...]
Do you have any other ways of assuring that my program will be the
only one using the DLL/assembly?
Unless I'm way off on how your system works, I think you're looking at
putting security in the wrong place.
Presumably your DLL performs updates to a database when its methods are
called. If one of the developers has access to update the database via
your
DLL, then surely they have access to the database directly as well. Then
they could just modify the database to raise their salary, bypassing your
DLL entirely.
If you secure the database so that other people can't access it, then it
won't matter if they use your DLL as they won't be able to open a
database
connection. Database engines have lots of functionality to facilitate
restricted access, unlike DLLs.
Does that help at all?
--
(O)enone
If your DLL somehow bypasses the normal authentication procedures, then that
is something you should fix in your code. If the database does not have
strong authentication set up, then that should be fixed on the DB side. Your
code would then need to be setup appropriately. If the person has the
authentication information in hand, then there is not much left to protect.
"Delta-N: Herman Greven" wrote:
Thanks,
i think i wasn't clear enough on this one...
What i am afraid of is that someone reference my dll on the webserver
somehow..
So they don't have direct access to the webserver or database, but that they
can access the dll via some kind of share on the server...
Michel
"(O)enone" wrote:
Michel@Voorburg wrote:
i've built a C# dll / component with some wonderful services to the
clients Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
[...]
Do you have any other ways of assuring that my program will be the
only one using the DLL/assembly?
Unless I'm way off on how your system works, I think you're looking at
putting security in the wrong place.
Presumably your DLL performs updates to a database when its methods are
called. If one of the developers has access to update the database via your
DLL, then surely they have access to the database directly as well. Then
they could just modify the database to raise their salary, bypassing your
DLL entirely.
If you secure the database so that other people can't access it, then it
won't matter if they use your DLL as they won't be able to open a database
connection. Database engines have lots of functionality to facilitate
restricted access, unlike DLLs.
Does that help at all?
--
(O)enone
"Michel@Voorbur g" <Mi************ @discussions.mi crosoft.comwrot e in
message news:5E******** *************** ***********@mic rosoft.com...
Hi all,
i've built a C# dll / component with some wonderful services to the
clients
Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
I tried code access security, bu i can only use that on Class level and
not
on Assembly level, and i've read that there are ways to work around this
kind
of protection.
Do you have any other ways of assuring that my program will be the only
one
using the DLL/assembly?
I agree with the other posters who have suggested that you might want to
look at DB security etc.
That being said, you can secure your DLL by making your public
classes/methods/properties internal and then using the InternalsVisibl eTo
attribute to expose internals to specific assemblies that are allowed to
call your dll. Those specific assemblies will have to have strong names.
Even that isn't very secure because you can still call private/internal
members via reflection and it's fairly easy to disassembly your dll, change
everything to public and rebuild. Securing your assembly like this is just
a way to keep people from calling things that may change in future versions
etc, if you really want security, it has to be in the database. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Sarah Tanembaum |
last post by:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination?
I have the following in mind:
I wanted to store all my( and my brothers and sisters) important
document
information such as birth certificate, SSN, passport number, travel
documents, insurance(car, home, etc) document, and other...
|
by: MR. UNDERHILL |
last post by:
I want to use forms authentication on my website. Looking at the documentation, I create a sample site for testing. One of my requirements is to ensure that SOME pages required an authenticated user and some others, like the home page is not required. I specified the <deny users="?" /> on the web.config, but this is causing ALL pages require the authentication. How can I mix both, without loosing the web.config setup? I know that I can...
|
by: Jesse Aufiero |
last post by:
I am creating a vb.net app that displays historical financial data in
various ways (grids, charts, etc.). This data is sensitive and should only
be accessible through the vb.net application. The vb.net application must
also be able to issue sql select stmnts against the persistant data source
in order to get a wide variety of result sets back, for use in the
application's grids and charts.
How can I have my data in a completely secure...
|
by: Usman |
last post by:
Hi
I'm working on an application that contains classes for licensing,
authentication etc, including all the algorithms of encryption/decryption
etc. I wanted to secure this code, but after compiling all the code, I just
thought of trying a decompiler on the output file. The decompiler generated
almost 99% of the exact code out of it, exposing all those algorithms that I
need to secure. Even if I try a dotfuscator tool, still it does'nt...
|
by: Robert Seacord |
last post by:
The CERT/CC has just deployed a new web site dedicated to developing
secure coding standards for the C programming language, C++, and
eventually other programming language.
We have already developed significant content for the C programming
language that is available at:
https://www.securecoding.cert.org/
by clicking on the "CERT C Programming Language Secure Coding Standard"
| | |
by: BobTheDataBaseBoy |
last post by:
Whilst in CubeLand, I was informed that our 1970's era COBOL codebase
would not be modernized (?) to utilize Stored Procedures (bound COBOL
code in our case; they've not figured out SQL SP yet) because CICS is
more secure than DB2. I found this a fantastical statement. A review
of this forum didn't reveal any discussions along that line.
Is there any analytic or empirical evidence for this?? My suspicion is
that my COBOL/VSAM/CICS...
|
by: walterbyrd |
last post by:
I honestly don't know. But, I have seen articles and posts about how
PHP is terribly insecure. I don't usually see comparisons to other
common web languages.
I think the big vulnerablity is supposed to be code injections.
Another security issue would be having code stolen, but I think that
PHP can be protected from that.
Obviously, I don't know a lot about it.
|
by: tshad |
last post by:
I have a problem with a page I am trying to secure. It has a flash object
as well as a couple of 3rd party objects used for tracking use of the page.
I keep getting a message saying that there are unsecure items on the page.
I assume this is because of some absolute URL paths. But one of them
doesn't cause the problem and it also has an absolute URL in it.
The first 2 cause an error:...
|
by: =?Utf-8?B?Tkg=?= |
last post by:
Looking for a recommendation for a community forum product that is secure.
This is for a company so security is important.
Anyone got a recommendation?
Thanks
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
