The newest version .NET development Framework 4 has seen many developments and changes and most of them are related to security changes. So here’s a brief intro followed by detailed explanation of the different security enhancements that outsource .Net development team can make use of. Two major changes have taken place in the framework- firstly the policy of machine-wide security has been terminated yet keeping the permission system as it was; secondly security transparency is now set as default.  Various operations regarding permission that posed a risk for security are now obsolete.

Some important points that you should know:-

• Code Access Security (CAS) as a whole has not been removed just that the security policy that was associated has been removed from CAS; the evidence and permission feature are still present. 
• The transparency feature splits the code that runs as a part of the application from that which runs as a part of the infrastructure. This is the new security feature of the update.  Even assemblies that run as trusted are checked for any irregularities.
• The code responsible for calling the security policies API gets a NotSupportedException and also compiler warnings during run time.

• Earlier the .NET development Framework has been specifically built to provide security, but beginning with the .NET development Framework 4, we see that the common language runtime (CLR) is now diverting away from security policies.  Earlier the outsource .Net development team used CAS policy; it was very secure and powerful, however they have proved to be somewhat a burden to both hosts as well as libraries as they are too complicated and restrictive.

• Even after these updates the hosted as well as sandboxed applications present will go on running with trust polices predetermined by the hosts; all the applications that run in the sandbox are just partially trusted. Transparency basically just gives you one important feature – you never have to be worried about seeing the CAS policy whenever you run partially trusted programs. If you’re a programmer then you should only see that your applications are built to target the sandbox and they don’t require code that needs complete trust. 

• Due to these various security changes there may be occurrences of compilation warnings and various runtime problems, which offshore .net development team can avoid these warnings by using .

• Backward compatibility is another great feature that where all types of CLR are used as evidence objects and are derived from EvidenceBase.  The only drawback is that evidence types that have been made by users to their customisations cannot be updated.

• Conditional use of APTCA (Allow Partially Trusted Callers Attribute) gives hosts the opportunity to identify any groups they want to expose to the partially trusted assembly; in order to achieve this; the chosen group must be already designed for partial trust.  Before this update almost every object was cabable of being used as an evidence object, provided that the hosting code wished to set it as evidence; however this posed a problem as implicit restrictions were imposed on objects that could be used as evidence. 

• To get rid of these problems and to allow evidence objects to function normally and moreover to add new features the .NET development Framework 4 base has a new class – System Security Policy EvidenceBase. Therefore there are solutions to each of the problems that could have risen due to the launch of this new version.