Re: C# Exceptions

Thankx for your replies.

My comments in capitals below.

In a (web)service orientated architecture, the message integrity is
crucial. I would suggest to encrypt the data sent through the network
and also digitally sign it. The desktop application validates the
signature and if its not valid it will reject the incoming data. If the
signature is valid then the app can decrypt the response and process it.

THE COMMUNICATION WITH WEB SERVICES IS OVER HTTPS AND IT HAS DIGITAL
CERTIFICATE. HOWEVER I UNDERSTAND SSL CERTIFICATES CAN BE SPOOFED AND
PROBABLY IF THE DESKTOP APPLICATION VALIDATES THE SIGNATURE THAT COULD
BE SPOOFED TOO?


ALSO THE COMMUNICATION WITH DATABASE SERVER IS ENCRYPTED.

It's also recommended not to catch general exception like:
catch (Exception ex) {}, but catch and handle different kind of
exceptions as in : catch (NullReferenceException nullex) {} or catch
OverflowException, etc.

SORRY BUT I DIDN'T GET THIS ONE. IF AN APPLICATION THROWS DIFFERENT
TYPES OF ACCEPTIONS LIKE NULL, AV, THAT WULD BE GOOD OR HAVING A
GENERIC ERROR MESSAGE IS BETTER. I FEEL IT WOULD BE BETTER TO THROW A
GENERIC ERROR.


Another issue is that through reflection, ildasm you can re-construct
the source code of a managed app (see .NET Reflector). It's also

WE ARE ABLE TO RE-CONSTRUCT THE SOURCE CODE OF SOME IMPORTANT DLLS BUT
NOT FOR THE MAIN PROGRAM EXE FILE.

possible to patch system assemblies. It is possible to bring the
Framework to its knees with fuzzed data. You cant really trust anything,

YES, THAT'S TRUE. IT IS NOT DIFFICULT TO CRASH A C# DESKTOP
APPLICATION BY FUZZING TECHNIQUES. ALTHOUGH I BELIEVE IT ISN'T REALLY
A SERIUOS ISSUE AS DOS ATTACK WILL AFFECT ONLY A SINGLE USER AND THE
OTHER IMPORTANT THING IS IT DOESN'T HAVE ANY PORTS OPEN OR SERVICE
AVAILABLE ON THE NETWORK.

but do your best to detect it and do some defensive coding.

I THINK IT TAKES A LOT OF TIME TO PIN POINT THE CODE DEFECTS THAT
CAUSED A CRASH. WOULD IT BE WORTHWHILE TO SPEND THAT MUCH TIME FIXING
IT? ANYWAYS THIS ISSUE IS MAXIMUM GOING TO CAUSE A NON-SERIOUS DOS.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

Relevant Pages

  • RE: How to encrypt all network traffic
    ... Ipsec with 3com 3xp network cards. ... I have been looking for a way to encrypt all my local IP network ... Maybe even an app ...
    (Security-Basics)
  • Re: ODBC Connection with SQL Managed Provider
    ... One thing to remember is when running application from a network share, ... > So it was our intent to put a lot of the "forms" into the main app. ... the odbc manager is no quicker than the odbc. ... >>> authorizing the user against a table in the SQL server database. ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Encrypt data
    ... because the Java code you provided is NOT RSA encryption but it ... is RSA signature generation/verification code. ... 3DES key) to encrypt any amount of data. ...
    (microsoft.public.platformsdk.security)
  • Re: .NET new executable
    ... Since there is no network access avaialble, I want to send my app to each ... then you update the data into database. ... If all you are trying to do is send some data to your SQL server, ...
    (microsoft.public.dotnet.general)
  • Re: Encrypt data
    ... the signature ... bytes exactly for a 1024 bit RSA key). ... public key. ... 3DES key) to encrypt any amount of data. ...
    (microsoft.public.platformsdk.security)