A while back, I was part of a book project for Apress called ".NET Security". I've discussed some of the tragedies that sprung up during its creation, but the end result of having your name tagged to a book on .NET security is that some people think I know everything there is to know about security.

Nothing can be further from the truth.

First, I only wrote the first five chapters of that book. That means I wrote about topics such as cryptography, XML and security, CAS, and RAS. The other stuff was written by the other authors. Furthermore, I pretty much showed how the stuff worked (which was a valuable and interesting endeavour in itself), but what I wanted to have is more pratical security scenarios later on in the book. That never really happened. The point of this clarification is that I know a fair amount about how security works in the .NET framework. Anything beyond that becomes a gray haze. I'm not saying that's a good thing; it's just where my knowledge space ends.

Security is definitely an aspect to software development that should not be ignored by anyone. At the same time, there's other topics that I feel I have a better grasp of (CIL and attributes, for example ;) ) that I do with security. I don't consider myself an expert in anything, especially as it pertains to security. There are people who know that area far better than I do, and that's fine by me. I don't advocate ignorance; what I'm advocating is honesty with one's understanding about a particular topic. I'm just not the person to ask, "How do I secure my enterprise?" It's a valid question, but I don't have the complete answer. Good, that's off my chest - I'm off to play Halo2 and check out that new ! thingee at the CIL level...

* Posted at 12.03.2004 04:55:48 PM CST | Link *

Blog History