I can also disagree about .NET being unsafe, but I rather point out one point. In article you say: "but security... let's say that is not its strong point". I am not native English speaker, but I think that most of the people understand that statement that there are some vulnerabilities in .NET. And then in comment you said "I don't want to blame .NET for being insecure, I don't accuse it as a language with vulnerabilities or anything like that." So which one is true? Does .NET have security vulnerabilities or not?
Also saying that application is not secure, when it's not obfuscated is pretty "strong" statement. I think 99% of applications that people use every day (including web browsers) are not obfuscated and can be decompiled or are even open source. I never heard anyone saying that they are unsecure, because of that.
And easy decompilation has its advantages and disadvantages in security. Yes, it's possible to steal intellectual property. But the decompilation is easy because of lot of metadata about code inside application. And these metadata ensures type safety and thus prevents attacks like buffer-overflow, memory corruption.
I agree that obfuscation is good technique to prevent certain security attacks. But it's not equivalent to security. There is not even 1-way implication. When an application is obfuscated, it does not mean it's secure. And when it is not obfuscated, it does not mean it's not secure.
Just out of curiosity, have you had experience or studied about .NET security and obfuscation ?
Obfuscation is a technique to prevent attacks, that's true.
We have security systems and also obfuscation, obfuscation is limited to the modification of the IL code, when we talk about security we refer to more concepts, processes that guarantee the integrity of the memory, or the JIT, but the intention of this article was to make it easy, that's why it includes the tag #beginners.
We answer your questions because of the uncertainty wrongly caused by our fault.
We're not saying that .NET is insecure, we're saying that the ease of decompilation in .NET is much greater than in other languages, such as C++.
As I said, how insecure software is is determined by how it is designed. Nothing more.
I believe that at no time do we imply that an obfuscated application is safe and otherwise not. But if we have given that perception, we apologize 🙏.
We are sorry for the confusion, Rastislav, any doubts you still have we can continue to talk to you, those are the aspects that we think we have not expressed well.
Especially the sentence "But security... let's say that is not its strong point".
I think .NET is amazing technology with amazing community around. And I wish the community get's bigger. But the tweet like that may discourage people to be interested in .NET, thinking "why should I invest into .NET if it's not secure". Especially beginners.
Therefore I think it would be much better if the article differentiate between security in general and decompilation. I can imagine something like "Did you know that preview of Visual Studio allows you to debug .NET application even without source code? This is nice feature, but it allows anyone to debug your application and find secrets in your source code. Do you know how to prevent it?"
And to answer your first question. I have long years of experience in .NET, but I don't think I am expert in security. I am interested in security in computer science in general, but I am definitely not expert.
In this company we use .NET for almost everything, with that I show you what we love this language, and how great it is, with regard to security we offer solutions as I said, both at the level of code (obfuscation) and more advanced security solutions.
It was our first article, and we've oriented it somewhat confusingly, our intention here is not to be right, our intention is to help the community, to raise awareness about safety, and for everyone in the community to learn about these issues, and when we make mistakes and people like you or anyone else correct us, it's our turn to learn.
From now on, we will be careful about how we express some things, we will try to clarify the concepts so that nobody gets confused, and we will always adapt our solutions so that they are as simple and easy as possible.
I would ask you a favor, if you are interested in .NET security, we have a blog, in which we will be uploading articles from time to time, currently there are only two, and we have things to modify in them with what we have learned here, but if you are interested, I would ask you to subscribe to our newsletter to receive these articles, we do not send spam, or share with others.
Still be sure that here we will upload good content, I want to ask you one last question, and I hope not to waste your valuable time, what do you think you would like to read or learn about .NET security ?
Thank you for your response, and we hope you continue to learn about everything you like!
Kind regards,
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I can also disagree about .NET being unsafe, but I rather point out one point. In article you say: "but security... let's say that is not its strong point". I am not native English speaker, but I think that most of the people understand that statement that there are some vulnerabilities in .NET. And then in comment you said "I don't want to blame .NET for being insecure, I don't accuse it as a language with vulnerabilities or anything like that." So which one is true? Does .NET have security vulnerabilities or not?
Also saying that application is not secure, when it's not obfuscated is pretty "strong" statement. I think 99% of applications that people use every day (including web browsers) are not obfuscated and can be decompiled or are even open source. I never heard anyone saying that they are unsecure, because of that.
And easy decompilation has its advantages and disadvantages in security. Yes, it's possible to steal intellectual property. But the decompilation is easy because of lot of metadata about code inside application. And these metadata ensures type safety and thus prevents attacks like buffer-overflow, memory corruption.
I agree that obfuscation is good technique to prevent certain security attacks. But it's not equivalent to security. There is not even 1-way implication. When an application is obfuscated, it does not mean it's secure. And when it is not obfuscated, it does not mean it's not secure.
Hello Rastislav,
Just out of curiosity, have you had experience or studied about .NET security and obfuscation ?
Obfuscation is a technique to prevent attacks, that's true.
We have security systems and also obfuscation, obfuscation is limited to the modification of the IL code, when we talk about security we refer to more concepts, processes that guarantee the integrity of the memory, or the JIT, but the intention of this article was to make it easy, that's why it includes the tag #beginners.
We answer your questions because of the uncertainty wrongly caused by our fault.
We're not saying that .NET is insecure, we're saying that the ease of decompilation in .NET is much greater than in other languages, such as C++.
As I said, how insecure software is is determined by how it is designed. Nothing more.
I believe that at no time do we imply that an obfuscated application is safe and otherwise not. But if we have given that perception, we apologize 🙏.
Security is a task that developers must carry out when developing software, obfuscation is a technique to protect the source code, and then security systems such as ©Smart Native of our team, are systems to ensure security, memory access, injection and so on. These are different things, but they should complement each other to guarantee the highest security.
We are sorry for the confusion, Rastislav, any doubts you still have we can continue to talk to you, those are the aspects that we think we have not expressed well.
To be honest, my reaction was initiated by this tweet: twitter.com/ThePracticalDev/status...
Especially the sentence "But security... let's say that is not its strong point".
I think .NET is amazing technology with amazing community around. And I wish the community get's bigger. But the tweet like that may discourage people to be interested in .NET, thinking "why should I invest into .NET if it's not secure". Especially beginners.
Therefore I think it would be much better if the article differentiate between security in general and decompilation. I can imagine something like "Did you know that preview of Visual Studio allows you to debug .NET application even without source code? This is nice feature, but it allows anyone to debug your application and find secrets in your source code. Do you know how to prevent it?"
And to answer your first question. I have long years of experience in .NET, but I don't think I am expert in security. I am interested in security in computer science in general, but I am definitely not expert.
Hello again Rastislav,
Well, then you're absolutely right,
In this company we use .NET for almost everything, with that I show you what we love this language, and how great it is, with regard to security we offer solutions as I said, both at the level of code (obfuscation) and more advanced security solutions.
It was our first article, and we've oriented it somewhat confusingly, our intention here is not to be right, our intention is to help the community, to raise awareness about safety, and for everyone in the community to learn about these issues, and when we make mistakes and people like you or anyone else correct us, it's our turn to learn.
From now on, we will be careful about how we express some things, we will try to clarify the concepts so that nobody gets confused, and we will always adapt our solutions so that they are as simple and easy as possible.
I would ask you a favor, if you are interested in .NET security, we have a blog, in which we will be uploading articles from time to time, currently there are only two, and we have things to modify in them with what we have learned here, but if you are interested, I would ask you to subscribe to our newsletter to receive these articles, we do not send spam, or share with others.
Still be sure that here we will upload good content, I want to ask you one last question, and I hope not to waste your valuable time, what do you think you would like to read or learn about .NET security ?
Thank you for your response, and we hope you continue to learn about everything you like!
Kind regards,