data constraints, 289
data corruption
and asymmetric cryptography, 177–178
connecting to data sources, 274–279
creating random numbers, 187–188
encrypting XML data, 333–348
and hashing algorithms, 179–186
preventing SQL injection, 280–291
protecting communications with SSL, 196–198
protecting secrets, 190–195
signing XML data, 348–357
and symmetric cryptography, 156–177
writing secure SQL code, 291–296
data destruction
connecting to data sources, 274–279
preventing SQL injection, 280–291
reading and writing to data files, 296–302
writing secure SQL code, 291–296
data files, reading and writing to, 296–302
data integrity, defined, 154
Data Protection Application Programming Interface (DPAPI), 195, 277
data reflecting
defined, 218
overview, 226
preventing, 227–229
steps to reflect file paths, 227–229
unauthorized file access, 226–227
data source names (DSNs), removing from registry, 266–267
data sources, connecting to, 274–279
data types
constraining, 289
enabling strict data typing, 212–213
database compromise
defined, 262
ensuring last privilege, 270–272
limiting attack surface, 265–270
securing databases, 272–274
securing location, 263–264
databases.See also SQL Server
attacks that compromise integrity, 284
attacks that compromise queries, 285
attacks to retrieve content information, 283–284
attacks to retrieve structure information, 282–283
ensuring least privilege, 270–272
features to remove, 272–273
least privilege principle, 247–248
limiting attack surface, 265–270
protecting connection strings, 277–278
reading and writing to data files, 296–302
regex for filtering input, 225
sample firewall layout, 263–264
securing location, 263–264
storing passwords in, 19–22
storing secrets in, 194–195
using least privilege to restrict users, 289–290
db_owner account, 278
declarative security, 100, 371–372
demanding permissions, 363
demanding permissions, in .NET Framework, 376–379
Deny overrides, 383–384
DES algorithm, 156, 157, 159–163
DESCryptoServiceProvider class, 159, 413
digitally signed XML documents, 348–357
directory, as type of evidence, 368
directory traversal
data reflecting, 226–229
defined, 206
double decoding, 237–239
parameterizing, 236–237
DirectoryServicePermission class, 374
discretionary access control lists (DACLs), 90
distributed applications, defined, 365
DnsPermission class, 374
Domain property, cookies, 125–127
double decoding
C# code, 238
defined, 219
overview, 237–238
VB.NET code, 239
DPAPI (Data Protection Application Programming Interface), 195, 277
DSACryptoServiceProvider class, 413
DSNs.See 230–233