70-330 and 70-340: Sweating over Security
These two new exams for developers really put your secure coding expertise to the challenge.
[This review also appears verbatim as the 70-330 Exam Spotlight. -- Editor]
Want to tackle a certification exam that will test your knowledge of
.NET and development best practices to the utmost? One of the application
security exams should be perfect for you then. You can choose from Visual
Basic .NET or C# versions of the exam; the two are identical except for
the language used in example code. This review applies equally to either
A warning, though: Don't take these exams lightly. I found them tougher
than anything else on the MCSD .NET track, because they require knowledge
of such a broad range of topics. You should have experience developing
both Windows and Web-based .NET applications, as well as working with
Web services, cryptography and managed components. I'd recommend passing
70-305, 70-306 and 70-310 (or the corresponding C# exams, 70-315, 70-316
and 70-320) before tackling this one.
If that's not enough, you also need to know the basics (and then some)
of writing secure applications. If things like least privilege, canonicalization,
SQL injection, or cross-site scripting are mysteries to you, then you've
got some studying to do.
and 70-340: Application Security
These are Microsoft's first security exams for developers
and they're as difficult as any developer exams the
company has ever published. If you can pass the 70-310
or 70-320 (XML Web Services and Server Components) and
70-300 (Solution Architectures) exams, you may be ready
to tackle this one.
70-330, Implementing Security for Applications with
Microsoft Visual Basic .NET
70-340, Implementing Security for Applications with
Microsoft Visual C# .NET
Who Should Take Them
Elective credit for MCAD .NET or MCSD .NET.
Summer 2004 (reviewed here in beta format)
Developing Security-Enhanced Web Applications; 3 days.
Developing and Deploying Secure Microsoft .NET Framework
Applications; 3 days.
Microsoft Security Guidance Training for Developers;
Developing Secure Applications (available July 2004);
Get Your Own House in Order First
Writing secure code starts with implementing security best practices directly
on your own development machine. You should understand the principle of
"least privilege," and know that logging on as an Administrator
of the local machine to do routine development is a bad idea. Given a
choice of accounts on a network, you should know which ones would work
for development and testing.
Tip: Review the groups that Visual Studio .NET creates
when it's installed, and know which ones grant you rights for which
While you're on the subject of least privilege, spend some time understanding
how least privilege applies to the code you're going to write. The exam
will check to make sure you know which permissions code needs to perform
certain actions, as well as how you assign those permissions. Know what
will happen if your code is run under a non-administrative account —
and how to trap any errors if the account doesn't have sufficient privileges.
CAS is Your Friend
Setting least privilege for running code is the job of Code Access Security,
or CAS for short. This is one of the most complex topics in .NET, but
it's one that you'll need to be thoroughly conversant with for this exam.
Start with the basic concepts of permissions, permission sets and code
groups, as well as the variety of permissions that the .NET Framework
Tip: Review the classes in the System.Security.Permissions
namespace and make sure you know which permissions each one controls.
Tip: Use the .NET Framework Configuration Tool to review
the standard permission sets that the .NET Framework creates on installation.
The exam will test your ability to properly apply the various permissions
in a variety of scenarios. In addition to knowing what actions each permission
controls, you need to understand the differences between the various permission
- RequestMinimum. The permissions that your application absolutely
needs to function.
- RequestOptional. The permissions that your application would
like to have but can do without.
- RequestRefuse. The permissions that your application should
never be granted.
- RequestDemand. The permissions that callers of your application
Tip: Know both the declarative (attribute-based) and
imperative (code-based) syntaxes for making permission requests.
You also need to understand the basic principles of granting, withholding
and calculating permissions from an administrative point of view. You
can get experience in this area through the graphical .NET Framework Configuration
Tool, but you'll also need to know how to use the command-line caspol.exe
utility. Make sure that you understand the concepts that go into computing
permissions, including the hierarchy of code groups, the Exclusive flag,
and the LevelFinal flag.
Tip: The permission set on a single level is the union
of the permission sets of all relevant code groups. The permission set
for the code is the intersection of the permission sets of all levels.
How's Your ASP.NET?
Even though you're a developer, you'll be tested on the portion of ASP.NET
administration that interacts with security. That means you need to understand
the various choices for authentication that IIS provides and the way that
ASP.NET interacts with those choices. You also need to know what happens
when you turn on ASP.NET impersonation in various scenarios.
Tip: If you're not using impersonation, ASP.NET runs
under the ASPNET account.
Configuration extends beyond IIS and into the web.config file, of course.
Here you'll be tested on setting up impersonation, authentication and
authorization policies. Know the syntax for allowing and denying users
and how multiple levels of configuration files interact. You should also
be familiar with the implications of impersonation for accessing external
resources such as SQL Server databases from your ASP.NET applications.
The distinction between authentication (determining who a user is) and
authorization (determining what the user can do) is critical for ASP.NET
applications and for this exam. Spend some time digging into the code
for Windows Forms authentication, and know how to implement a custom authentication
scheme. You'll need to be familiar with the IPrincipal and IIdentity components
of the .NET Base Class Library.
Tip: Know how to place code in the global.asax file to
help manage custom identities after a user is authenticated.
Web applications have been subject to several well-publicized attacks
in recent years, and you're expected to know the most common of these:
cross-site scripting and SQL injection. In particular, how would you test
whether your application is vulnerable to such attacks? Expect to be given
a choice of test scenarios and to know which ones would most likely expose
any problems that are present.
Tip: Given code that is vulnerable to SQL injection,
know how to prevent the attacks by not sending untrusted user input
directly to your database.
Canonicalization (representing resources such as URLs in a preferred
format) is another topic that gets an ASP.NET workover. You should be
familiar with the basics of regular expressions in .NET, so that you can
use a regex to test a string for attempts to evade security by avoiding
the canonical form.
The Rest of the Story
One of the problems with reviewing for this exam is that there are just
so many different places where security interacts with .NET. Each of these
areas might only account for a handful of questions, but if you miss a
few handfuls, you've failed the exam. So the wise candidate will study
the entire gamut of security coding. Here are some areas that you should
expect to be tested on.
Given a choice between different ways to split an application into components,
you should be able to judge which choice is more secure. Know when it's
safe to use a COM component, for example, and how best to interact with
COM components for secure coding. You should also understand how "defense
in depth" works, and be able to identify solutions that properly
implement this concept.
.NET implements a full range of cryptography classes (see the System.Security.Cryptography
namespace). That means you need to know how to use these classes. If you're
presented with different code snippets that purport to encrypt data, you
should be able to recognize the ones that actually work. In addition,
you need to understand the difference between asymmetric and symmetric
cryptography, and know how to use X.509 certificates to sign data. Other
cryptographic concepts that will come up on the exam include hashing and
Tip: A common pattern for secure communication is to
use asymmetric encryption (public-key cryptography) to exchange keys
for symmetric encryption.
Tip: Data encrypted with a public key can only be decrypted
with the matching private key, and vice versa.
Things to Practice
1. Write code that uses declarative and imperative
permission requests and then experiment to see exactly
what the code does when the requested permissions are
2. Use the .NET Framework Configuration Tool
to create code groups and permission sets and manage
the permission set for individual assemblies.
3. Set up an ASP.NET application that retrieves
data from SQL Server. Configure it to work with user
accounts through impersonation, or with the ASPNET account
and no impersonation.
4. Use the sn.exe tool to create a key pair
file, to extract the public key and to implement delay
signing of an assembly.
5. Write code that encrypts and decrypts data
using symmetric encryption. Rewrite the code to use
6. Use the makecert.exe tool to create a test
X.509 certificate, and use that certificate to sign
data in a test application.
7. Use the permview.exe tool to analyze the
code access permissions of an assembly.
8. Use entries in the AssemblyInfo.vb or assemblyinfo.cs
file to apply a strong name to an assembly. Open the
assembly in a hex editor and change some data, then
check to make sure that .NET won't run the altered assembly.
9. Modify a web.config file to prevent specified
users from viewing a particular file.
10. Configure an ASP.NET site to use SSL security.
.NET, of course, supports several distributed architectures, including
remoting and Web services. On the remoting side, you should understand
how to construct credentials for a remoting client, as well as how to
securely host a remoting server. Given a choice between several architectures
for a remoting server, which is more secure? On the Web services side,
you'll need to be broadly familiar with the WS-Security and WS-Interoperability
standards, even though they're not a part of .NET itself.
Finally, spend a while understanding security and serviced components.
Serviced components, of course, are the .NET view of COM+ classes. If
you've never looked into the declarative framework for securing serviced
components by applying attributes, you need to do this before taking the
Tip: You can add roles to an application by using the
If you're still with me at this point, you've probably come to appreciate
how challenging this exam can be. So why should you take it? A few minutes
with practically any technology news site will give you the answer. Despite
years of effort, there are new security holes found in applications every
day, and users are getting steadily more angry about this state of affairs.
As software vendors are pressured into concentrating more resources on
secure application development, developers who can prove their ability
to work in this area will be in increased demand. Taking this exam is
one way to show that you know what it takes.