Discussion on: Why you should protect your .NET applications

andy_preston profile image
Andy Preston

I'd disagree that .NET is unsafe because of decompilers. Practically every major compiled programming language has had a decompiler released by somebody.

By comparison, interpreted languages like javascript in the browser give users the full source code.

I'm really not sure what you mean when you talk about attackers skipping security and login systems. I guess you're talking about programs installed locally on a computer, and not an ASP.NET Web App.

Your example image showing the hardcoded password is not good practice and I can't see any commercial program doing this.

Most programs with a login system do not persistently store data locally. The user provides credentials which are authenticated by a server. The server should just forward sensitive data once the user has passed authentication/authorization.

dotnetsafer profile image
Dotnetsafer Author

Hi, Andy!

Yes, you're right, but I'm going to give you my opinion on several points.

I am not saying that the fact that it can be decompiled is the cause of all evil, but it obviously contributes negatively to security.

In the end, what determines the safety of something is not a specific point, but the sum of several.

The other languages have decompilers, it's true, but they also use solutions in the other languages, still I don't like to talk about the other languages, because I'll be honest, I'm a specialist in .NET security, I know other languages and their security, but I don't like to talk when I'm not 100% sure of something (like Java for example).

Languages interpreted as JavaScript, as you say, give the source code to the user, then no fool would make a connection to a database from JavaScript, obviously you can't, you must use some bridge that communicates with the database, but can you imagine that if you could put a connection to MySQL in JavaScript ? Well, in .NET it is done. It won't be a good practice, I give you all the reason, but we have many clients that do it.

Now, the difference between a desktop application and a web application

Here you are very right, it is not the same, as you say it is used to "crack" desktop applications. (Now I'll talk about security and login systems).

It is common for desktop (or Xamarin mobile) applications to be decompiled and altered so that they can be used for free or something like that. I'm sure you have or know someone who has Photoshop, but didn't buy it (even if it's not .NET, it's an example).

ASP .NET applications, we perceive them as if they were in an impenetrable magic capsule, but they are simply on a server, so it is another risk factor, the security of the server. I'm not a specialist in this, but I know people who are, and I can assure you first hand that if the security of the server is not strong, it doesn't cost so much to access it and get all the .DLLs of your ASP .NET application (which as I said before, it will connect to your database), in case they access your server, (which you should avoid with a good IDS, and a thousand other options for the security of the server where you host your application) I would rather they get my web application protected and with encrypted connections, than with the perfect code and at first sight.

My example: As I said it's a silly example, nobody puts an "if" in an application to validate a password, it's just an example. But it's to understand that the same way I can get the logic of this app, I could get it with any other one.

The login systems, you've explained it perfectly.

They work just as you mentioned, but we know business applications that don't work as well.

For you to understand my point of view, the security of an application or any software will depend almost entirely on how the application is programmed and designed at the security level. There's no point in having a vault door at home if you're missing a wall.
But once your house is well built, the fact of putting a vault door will reinforce the security of it, that is indisputable.

I've seen great security systems for login, validating everything in PHP, everything encrypted, and then returning the response to .NET, telling the user how many days they have left, or returning a "true" value if the credentials are valid, great.
Skipping those login systems was as simple as, "I don't care what you're returning, just keep going".

As I said, it all depends on how it is developed, it could be better or worse, but safety will always be an extra phase.

I hope I wasn't too heavy, and at no time did I offend you with anything, or anything like that. My aim is to help, to make people understand the importance of all this, and in this case to share opinions with you so that we can both learn from each other.

Your comment was very correct and argued everything studiously, thank you for your interest in our article.

Kind regards,