Happy Tenth Birthday, Microsoft .NET

The popular Microsoft framework celebrated an impressive milestone this past month - ten years ago, .NET arrived on the scene and with its debut, quickly became the development "framework of choice" for innovative software and a key framework enabling the evolution to Web 2.0 applications, including Silverlight.

Given the popularity of .NET applications, the issue of how best to protect the framework is one of vital importance. Software piracy is rampant around the world and .NET applications have unfortunately been among those most heavily targeted by hackers for reverse engineering. This is due at least in part to the comprehensive metadata included with .NET applications, which (in a manner similar to Java), enables easy software analysis, including comprehensive de-compiling (meaning, generation of near original source code).

As B2C client software with greater amounts of intelligence and interactivity with corporate back-end systems become more prevalent, we will see a higher volume of business client applications written in .NET and Silverlight. This code is highly vulnerable and generally needs strong anti-reverse engineering and anti-tamper properties. No one wants a trojan-ized version of your favorite banking client app available on the internet, indistinguishable (to the casual user) from the un-tampered version!

To address this risk in .NET applications, meta-data must be stripped, character strings in the code must be encrypted, the code in the application must be obfuscated, and internal detectors of code modifications must be installed. Without aggressive protections, client software produced by businesses for consumer usage is open to casual hacking for illicit and nefarious purposes.

Windows .NET introduced a new way to build rich software applications for Web 2.0, and this model now applies to applications for emerging Cloud platforms as well. To continue to expand the .NET usage footprint, particularly for commercial business application client software, it's critical that development teams be aware of the security issues implicit in .NET code, and how to address them.

Here's to a safe and secure next 10 years, .NET!