Application Security Testing: An Integral Part of DevOps
Reading the Connection String
We used to use System.Configuration.ConfigurationSettings.AppSettings and a custom tag to store connection strings. You can still do that, but that is the old (Doh!) way. ConfigurationSettings is deprecated and there is a new section named ConnectionStrings and a coinciding collection in the framework to read these strings.
In Visual Studio 2005, you will use these steps to read connection strings:
- Add a reference to System.Configuration.dll.
- Add an Imports System.Configuration statement.
- Invoke ConfigurationManager.ConnectionStrings("full path to connection string").ConnectionString to read a specific connection string.
In Step 3, you will note that you are using the ConfigurationManager instead of ConfigurationSettings, which has been deprecated. The full path is the namespace.Settings.name. By default, the namespace will be the same as your assembly name or default namespace in VB. Settings is a literal value, and name is the name you entered in the Settings page for that connection string. I named mine ConnectionString. Thus, given a sample program EncryptConnectionString, the full path will be EncryptConnectionString.Settings.ConnectionString.
Encrypting the Connection String
Next, you will want to encrypt the connection string. The problem in the past has been that everyone had to define an encryption scheme and a GUI for encrypting the data. While this isn't automatic in Visual Studio—yet, but it should be—it is pretty easy.
Note: A good feature for Visual Studio would be a checkbox or something that indicates that a value should be encrypted and the ConfigurationManager would automatically encrypt and decrypt this data. (Of course, figuring out who has permission to decrypt might be an issue here.)
The first thing you need to do is grab the aforementioned DPAPI wrapper class and add that to your project. (Copy and paste it right from the article online; I tested this approach and it works perfectly.) Next, you will use the Object Test Bench tool to create your GUI for you.
In "Object Test Bench: Cool New VS 2005 Feature" (http://www.developer.com/net/vb/article.php/3493071), you learned that you can invoke instance and static methods in Visual Studio 2005. For methods that accept arguments, Visual Studio will create a simple GUI for you.
The Encrypt method is a public module method that is the same thing as a shared class method. To encrypt the connection string, right-click in the Value field of the Settings tab, select Edit Cell, and copy the connection string value. Invoke the static method Encrypt (from a class diagram or the class view explorer), paste the unencrypted connection string in the Invoke Method dialog (see Figure 3), pick a value for the store parameter, and click OK.
Figure 3: Let Visual Studio create utility dialogs automatically through the Object Test Bench.
After you click OK, the return value can be copied or stored in the Object Test Bench. Replace the unencrypted value in the Settings page with the encrypted value and you are finished. Just remember to call the Decrypt method when you read the connection string with the ConfigurationManager. The code in Listing 1 demonstrates how to grab and decrypt the connection string in your code.
Listing 1: A sample that demonstrates how to use the new ConfigurationManager.
Dim connectionString As String = _
Dim encrypted As String = Encrypt(connectionString, Store.User)
Dim unencrypted As String = Decrypt(encrypted, Store.User)
Console.WriteLine("Results: " & (unencrypted = connectionString))
Encrypting Configuration Sections in ASP.NET 2.0
Don't spend time re-inventing every wheel. It really is worth the time to figure out what features are available and usually the investment of a few books and several days reading is worth the investment. Although I have a vested interest in your buying books, I firmly believe the investment will pay off.
One such return can be had by reading this article. If you need to encrypt connection strings for ASP.NET applications, in web.config files, aspnet_regiis -pe section_name will do the trick for you. You can read more about this feature of ASP.NET 2.0 in the integrated help topic ms-help://MS.VSCC.v80/MS.MSDNQTR.v80.en/MS.MSDN.v80/
The difficulty with software development is that while things continually get easier, customer demands continually become more complex. For example, although we have an easy way to author application settings without hand-coding XML, it is no longer acceptable to publish unencrypted data such as connection strings. This article is intended to introduce new aspects of Visual Studio and show you how to leverage those aspects to complete routine, important tasks.
About the Author
Paul Kimmel is the VB Today columnist for www.codeguru.com and has written several books on object-oriented programming and .NET. Check out his book Visual Basic .NET Power Coding from Addison-Wesley and his upcoming book UML DeMystified from McGraw-Hill/Osborne (Spring 2005). Paul is also the founder and chief architect for Software Conceptions, Inc., founded 1990. He is available to help design and build software worldwide. You may contact him for consulting opportunities or technology questions at email@example.com.
If you are interested in joining, sponsoring a meeting, or posting a job, check out www.glugnet.org, the Web page of the Greater Lansing area Users Group for .NET.
Copyright © 2005 by Paul T. Kimmel. All Rights Reserved.