How do you make sure that your code runs when the security system is stopping it?

Security exceptions occur when code attempts to perform actions for which it has not been granted permission. Permissions are granted based on what is known about code; especially its location. For example, code run from the Internet is given fewer permissions than that run from the local machine because experience has proven that it is generally less reliable.

So, to allow code to run that is failing due to security exceptions, you must increase the permissions granted to it. One simple way to do so is to move the code to a more trusted location (such as the local file system). But this won't work in all cases (web applications are a good example, and intranet applications on a corporate network are another).

So, instead of changing the code's location, you can also change security policy to grant more permissions to that location. This is done using either the .NET Framework Configuration tool or the code access security policy utility (caspol.exe).

If you are the code's developer or publisher, you may also digitally sign it and then modify security policy to grant more permissions to code bearing that signature. When taking any of these actions, however, remember that code is given fewer permissions because it is not from an identifiably trustworthy source—before you move code to your local machine or change security policy, you should be sure that you trust the code to not perform malicious or damaging actions.

Why does code get a security exception when its run from a network shared drive?

Default security policy gives only a restricted set of permissions to code that comes from the local intranet zone. This zone is defined by the Internet Explorer security settings, and should be configured to match the local network within an enterprise. Since files named by UNC or by a mapped drive (such as with the NET USE command) are being sent over this local network, they too are in the local intranet zone.

The default is set for the worst case of an unsecured intranet. If your intranet is more secure you can modify security policy (with the .NET Framework Configuration tool or the CASPol tool) to grant more permissions to the local intranet, or to portions of it (such as specific machine share names).

What do you know about WS Security? Explain in brief

WS-Security (Web Services Security) is a communications protocol providing a means for applying security to Web services. On April 19 2004 the WS-Security 1.0 standard was released by Oasis-Open.

The protocol contains specifications on how integrity and confidentiality can be enforced on Web services messaging. The WSS protocol includes details on the use of SAML and Kerberos, and certificate formats such as X.509.

WS-Security describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.

WS-Security incorporates security features in the header of a SOAP message, working in the application layer. Thus it ensures end-to-end security.

What do you understand by the word SSL? Give a one line answer.

Secure Sockets Layer (SSL), is a cryptographic protocol that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.

What do you understand by Obfuscation and Encryption?

Encryption involves using a mathematical algorithm and a numeric key to transform text into cipher-text. The readable text has now become unreadable cipher-text. Encryption is usually two-way. In other words, using another mathematical algorithm and the same numeric key, the cipher-text can be reassembled into the originating text.

To obscure something is to make it not easily distinguishable. This technology hides your code from decompilers. It does so by keeping the same functionality but substituting different code and mixing in complexity. Obfuscation is a one-way function; once the code is obfuscated, there is no way of returning to the original input of the obfuscation