I just installed CompuWare’s DevPartner. In the ‘problem’ page of the code review I received the following on each BO class using the serializable attribute.
Example:
<Serializable()> _
Public Class Incident
A serializable type, one that is marked with the SerializableAttribute and/or implements the ISerializable interface, can easily be read by malicious code when it is in its serialized state. This means that any sensitive data in the fields of the serialized type can also be read by unauthorized code. Therefore, it is imperative to protect serializable types. One approach is to protect the GetObjectData method. This member should demand the SerializationFormatter permission to ensure that this method is not being called by malicious code.
I was interested in hearing any feedback concerns using serializable objects.
If you are transferring your data over a connection you don't trust (like the Internet), you need to protect your data.
The easiest solution is to use SSL. Alternately, you can use the encryption options available in WCF if you use the WcfProxy in the data portal, though the need to configure x509 certs remains consistent either way.
You can implement ISerializable. That forces you to both implement GetObjectData(), and a custom constructor. Basically you are then implementing GetState() and SetState() style methods from CSLA in COM ![Smile [:)]](/emoticons/emotion-1.gif)
Or if you did VB6 you can think of these as the methods used to get/put data into a PropertyBag.
The benefit of doing this is that you could encrypt certain data fields as you get/put them into the property bag. Of course then you assume all responsibility for key exchange and other complex bits of security - which is why SSL is better (the odds of you or me or anyone other than a handful of experts getting all the security bits correct is very low).
The primary drawback of doing this is that you have the same maintanence issues that came along with GetState/SetState in VB6 - the odds of forgetting to get/put one of your fields into the property bag is quite high - and the resulting bug is hard to track down.
Copyright (c) Marimer LLC