Security in Windows Forms

Windows Forms applications often handle sensitive data or run with elevated privileges. Understanding .NET security features helps you protect your users and maintain compliance.

Code Access Security (CAS)

CAS controls what code can do based on its evidence. Although CAS is deprecated in .NET Core, it remains relevant for legacy .NET Framework WinForms apps.

using System.Security.Permissions;

[PermissionSet(SecurityAction.Demand, Name = "FullTrust")]
public void SensitiveOperation()
{
    // Code that requires full trust
}

SecureString

SecureString protects confidential text in memory. Use it for passwords, tokens, and other secrets.

using System.Security;

SecureString GetSecurePassword()
{
    var secure = new SecureString();
    foreach (char c in passwordTextBox.Text)
        secure.AppendChar(c);
    secure.MakeReadOnly();
    return secure;
}

Encryption & Decryption

Leverage Aes for symmetric encryption of user data stored locally.

using System.Security.Cryptography;
using System.Text;

byte[] Encrypt(string plainText, byte[] key, byte[] iv)
{
    using var aes = Aes.Create();
    aes.Key = key;
    aes.IV = iv;
    var encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
    var plainBytes = Encoding.UTF8.GetBytes(plainText);
    return encryptor.TransformFinalBlock(plainBytes, 0, plainBytes.Length);
}

Best Practices

• Validate all user input and use parameterized queries.
• Run the application with least privileges required.
• Sign your assemblies with a strong name.
• Store secrets using SecureString or the Windows Credential Manager.
• Enable HTTPS for any network communication.
• Apply OS-level hardening (UAC, AppLocker, Windows Defender).