Senior SDE Shawn Farkas digs into the new security model in CLR 4. Gone are the days of head scratching complexity when it comes to reasoning about security in the managed world. The main goal for CLR 4 security was simplicity, in design and implementation
for consumers (developers) of both security policy and secure design at the code level (both of these have been traditionally overly complex with a side effect of enabling insecurity rather than preventing it).
Shawn has been working on security inside the CLR (which of course manifests itself in the managed code and libraries you use to build your applications and services). He and team have been very, very busy over the past few years essentially rearchitecting
the core security model of the CLR. What, exactly, have they done? Given the somewhat drastic changes, how does this impact compatibility (especially for those applications that took the leap and built complex CAS and policies into their applications)?
There's a lot of very useful information in this conversation with plenty of whiteboarding. It's great to see the managed security model evolve into a much more simple expressive model with policy patterns that mere mortals can understand and reason about.
Great job Shawn and team! Thank you.
Tune in. Meet one of the minds behind CLR 4's security model.