Securing SilverLight apps:what you don’t know can hurt you

Securing SilverLight apps:what you don’t know can hurt you -  Ward Bell
AskWard@ideablade.com

Encrypt, Authentize, Authorize, Audit, Validate
Secure The server -- Assume all clients are bad
SSL always And everywhere - Use SSL to download Xaps
Avoid Custom Authentication-Suggested using ASP Authentication/ASP Security(based on having external users)
Use a web Page - HttpContext.Current.User
For OOB - Roll your own login page
You could also use RIA services for authhenication and authorization - See article by B Noyles
If not in ssl can see user/password from page in fiddler when using asp form.

To check authorization on server in Ria services add annotaions that require authorization [RequiresRole(“Manager”)]
You would need to create a custom user in SL and  get from RIA service
SilverLight Spy will let you open any xap file and read it
Use user password ask key for encryption for offline authentication.
Don’t make your client talk to multiple domains (except for images/Media)(can show but not examine)
Confirm host page, check where Xap came from.

This class was really focused on having external users accessing you SL app, and half pushing their product devforce.