Hi all,
i've built a C# dll / component with some wonderful services to the clients
Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
I tried code access security, bu i can only use that on Class level and not
on Assembly level, and i've read that there are ways to work around this kind
of protection.
Do you have any other ways of assuring that my program will be the only one
using the DLL/assembly?
Regards,
Michel
5  1688 
Michel@Voorburg wrote:
i've built a C# dll / component with some wonderful services to the
clients Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
[...]
Do you have any other ways of assuring that my program will be the
only one using the DLL/assembly?
Unless I'm way off on how your system works, I think you're looking at
putting security in the wrong place.
Presumably your DLL performs updates to a database when its methods are
called. If one of the developers has access to update the database via your
DLL, then surely they have access to the database directly as well. Then
they could just modify the database to raise their salary, bypassing your
DLL entirely.
If you secure the database so that other people can't access it, then it
won't matter if they use your DLL as they won't be able to open a database
connection. Database engines have lots of functionality to facilitate
restricted access, unlike DLLs.
Does that help at all?
--
(O)enone
Thanks,
i think i wasn't clear enough on this one...
What i am afraid of is that someone reference my dll on the webserver
somehow..
So they don't have direct access to the webserver or database, but that they
can access the dll via some kind of share on the server...
Michel
"(O)enone" wrote:
Michel@Voorburg wrote:
i've built a C# dll / component with some wonderful services to the
clients Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
[...]
Do you have any other ways of assuring that my program will be the
only one using the DLL/assembly?
Unless I'm way off on how your system works, I think you're looking at
putting security in the wrong place.
Presumably your DLL performs updates to a database when its methods are
called. If one of the developers has access to update the database via your
DLL, then surely they have access to the database directly as well. Then
they could just modify the database to raise their salary, bypassing your
DLL entirely.
If you secure the database so that other people can't access it, then it
won't matter if they use your DLL as they won't be able to open a database
connection. Database engines have lots of functionality to facilitate
restricted access, unlike DLLs.
Does that help at all?
--
(O)enone
A DLL is not an executable. It must be used by an executable. Therefore, if
the DLL accesses the database, it must use a Connection String which
provides the necessary credentials, or it uses Windows Authentication, in
which case it may access the database using the context of the user account
running the application. In either case, another application using the DLL
will not be able to access the database unless you've hard-coded a
Connection String with valid credentials into the DLL itself.
--
HTH,
Kevin Spencer
Microsoft MVP
Printing Components, Email Components,
FTP Client Classes, Enhanced Data Controls, much more.
DSI PrintManager, Miradyne Component Libraries: http://www.miradyne.net
"Delta-N: Herman Greven" <De****************@discussions.microsoft.com>
wrote in message news:52**********************************@microsof t.com...
Thanks,
i think i wasn't clear enough on this one...
What i am afraid of is that someone reference my dll on the webserver
somehow..
So they don't have direct access to the webserver or database, but that
they
can access the dll via some kind of share on the server...
Michel
"(O)enone" wrote:
>Michel@Voorburg wrote:
i've built a C# dll / component with some wonderful services to the
clients Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
[...]
Do you have any other ways of assuring that my program will be the
only one using the DLL/assembly?
Unless I'm way off on how your system works, I think you're looking at
putting security in the wrong place.
Presumably your DLL performs updates to a database when its methods are
called. If one of the developers has access to update the database via
your
DLL, then surely they have access to the database directly as well. Then
they could just modify the database to raise their salary, bypassing your
DLL entirely.
If you secure the database so that other people can't access it, then it
won't matter if they use your DLL as they won't be able to open a
database
connection. Database engines have lots of functionality to facilitate
restricted access, unlike DLLs.
Does that help at all?
--
(O)enone
If your DLL somehow bypasses the normal authentication procedures, then that
is something you should fix in your code. If the database does not have
strong authentication set up, then that should be fixed on the DB side. Your
code would then need to be setup appropriately. If the person has the
authentication information in hand, then there is not much left to protect.
"Delta-N: Herman Greven" wrote:
Thanks,
i think i wasn't clear enough on this one...
What i am afraid of is that someone reference my dll on the webserver
somehow..
So they don't have direct access to the webserver or database, but that they
can access the dll via some kind of share on the server...
Michel
"(O)enone" wrote:
Michel@Voorburg wrote:
i've built a C# dll / component with some wonderful services to the
clients Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
[...]
Do you have any other ways of assuring that my program will be the
only one using the DLL/assembly?
Unless I'm way off on how your system works, I think you're looking at
putting security in the wrong place.
Presumably your DLL performs updates to a database when its methods are
called. If one of the developers has access to update the database via your
DLL, then surely they have access to the database directly as well. Then
they could just modify the database to raise their salary, bypassing your
DLL entirely.
If you secure the database so that other people can't access it, then it
won't matter if they use your DLL as they won't be able to open a database
connection. Database engines have lots of functionality to facilitate
restricted access, unlike DLLs.
Does that help at all?
--
(O)enone
"Michel@Voorburg" <Mi************@discussions.microsoft.comwrote in
message news:5E**********************************@microsof t.com...
Hi all,
i've built a C# dll / component with some wonderful services to the
clients
Payroll service.
As you might guess, i only want MY pogram to use this DLL.
If some developer get's hold of a reference to my dll, he or she could
easily use all methods to raise his or hers salary....
I tried code access security, bu i can only use that on Class level and
not
on Assembly level, and i've read that there are ways to work around this
kind
of protection.
Do you have any other ways of assuring that my program will be the only
one
using the DLL/assembly?
I agree with the other posters who have suggested that you might want to
look at DB security etc.
That being said, you can secure your DLL by making your public
classes/methods/properties internal and then using the InternalsVisibleTo
attribute to expose internals to specific assemblies that are allowed to
call your dll. Those specific assemblies will have to have strong names.
Even that isn't very secure because you can still call private/internal
members via reflection and it's fairly easy to disassembly your dll, change
everything to public and rebuild. Securing your assembly like this is just
a way to keep people from calling things that may change in future versions
etc, if you really want security, it has to be in the database. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Sarah Tanembaum |
last post by:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc)...
|
by: MR. UNDERHILL |
last post by:
I want to use forms authentication on my website. Looking at the documentation, I create a sample site for testing. One of my requirements is to ensure that SOME pages required an authenticated...
|
by: Jesse Aufiero |
last post by:
I am creating a vb.net app that displays historical financial data in
various ways (grids, charts, etc.). This data is sensitive and should only
be accessible through the vb.net application. The...
|
by: Usman |
last post by:
Hi
I'm working on an application that contains classes for licensing,
authentication etc, including all the algorithms of encryption/decryption
etc. I wanted to secure this code, but after...
|
by: Robert Seacord |
last post by:
The CERT/CC has just deployed a new web site dedicated to developing
secure coding standards for the C programming language, C++, and
eventually other programming language.
We have already...
|
by: BobTheDataBaseBoy |
last post by:
Whilst in CubeLand, I was informed that our 1970's era COBOL codebase
would not be modernized (?) to utilize Stored Procedures (bound COBOL
code in our case; they've not figured out SQL SP yet)...
|
by: walterbyrd |
last post by:
I honestly don't know. But, I have seen articles and posts about how
PHP is terribly insecure. I don't usually see comparisons to other
common web languages.
I think the big vulnerablity is...
|
by: tshad |
last post by:
I have a problem with a page I am trying to secure. It has a flash object
as well as a couple of 3rd party objects used for tracking use of the page.
I keep getting a message saying that there are...
|
by: =?Utf-8?B?Tkg=?= |
last post by:
Looking for a recommendation for a community forum product that is secure.
This is for a company so security is important.
Anyone got a recommendation?
Thanks
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| |
