idunno.org

I finally make it onto Herding Code

Barry Dorrans — Fri, 05 Mar 2010 23:16:26 GMT

Now that I can track Scott Koon down as I’m in the same city and there’s a chance I could ambush Jon Galloway when he ventures onto campus they let me appear on Herding Code. Luckily Jon probably has a better idea of what isn’t a sensible thing for a newly minted MS employee to say, so I’m hoping there’s been lots of editing. Lots and lots of editing … having said that it’s still over 1 hour long.

Technorati Tags: HerdingCode

Book Errata – Erratum #2

Barry Dorrans — Fri, 05 Mar 2010 16:47:34 GMT

Wrox will be offering an official errata on the book’s page soon.

The index refers to XMLTs with a reference to page 234 , that page correctly calls them XSLTs.
On page 128 comments in the sample code misspell encryption as “encyrption”.
Figure 6.2 on page 133, diagrams asymmetric encryption not symmetric encryption as the figure label states.

In other news Dan Maharry thinks the book is splendid.

Technorati Tags: Securing ASP.NET,Errata,Wrox

Beginning ASP.NET Security is now available in the US

Barry Dorrans — Tue, 02 Mar 2010 19:45:22 GMT

You can order it from Amazon and it’s in stock. Even better because I had an American editor you’ll find a severe lack of the letter U in words and the abomination that is the Oxford Comma scattered throughout.

In other news despite the continuous hobbit comments Alex Mackey, author of Introducing .NET 4.0 with VS2010 (Amazon US / Amazon UK) has reviewed the book and said nice things, all without payment!

Technorati Tags: ASP.NET,Security

A developer’s guide to encryption

Barry Dorrans — Sun, 07 Feb 2010 14:49:24 GMT

And the recording, with interruptions is here

Barry Dorrans’ hijacked encryption session at DDD8 on Vimeo.

I’ve also seen some of the feedback. Some selected highlights include

Barry was more funny than usually!

I don't think I laughed so much as when the videos began in this session. Barry will be sorely missed yet he still managed to complete his session and coped well with the barrage of mickey-takes and corrective outbursts from Jon Skeet.

Peerless Barry Dorrans, but why were those guys wearing Stephen Hawking T-shirts at the end?

Shame the entertainment was interrupted by some guy speaking :-)

High entertainment value, amazed Barry did as well as he did to continue all things considered :)

I didn't like his presentation style so much - he kepy interrupting it with videos plugging his new book!

Barry was entertaining as usual, and did a marvellous job of covering the topic, despite interruptions. He'll be missed.

The speaker did an excellent job of continuing the presentation despite the 'conditions' he found himself in! A fun session although for a complete encryption noob, it went a bit fast. Some examples of how you would use the encryption would've been welcome.

It was fun to watch the other DDD presenters take the mickey out of Barry. As lets face it, he deserves it. I think I may be scared for life watching him on the Crystal Maze though. I like the idea of burning his book though.

Brilliant session, ruined by some guy interrupting and talking about "hashing", "encryption keys" and "condoms".. can the gentleman in question be banned for next year's event? Thanks. In all seriousness, it was a good overview of cryptography, and if it had been 3 weeks earlier it would have saved me quite a few hours of research on a few points :-)

Covered some topics I only have a passing familiarity with, good to get some insight into various encryption methods and how to apply them. Good fun session, (including all the various pranks :)

Barry is a marmite presenter, you either love his quirky style or .... It worked for me. The farewell video interuptions were amusing but as I'm not a community leader or in the 'gang' some of the in jokes were lost on me. Made me chuckle though.

A fun session with the hijacking of his session by other members of the DDD team. What he did manage to show us was interesting.

Good overview of the basics, humiliation of the speaker was hilarious!

Talk was good and the session was a good laugh also. A topic I know a bit about but still some new and useful info.

Very good session - as much for the comedy aspect as the content. Knew most of the crypto bits, so good to confirm that my knowledge appeared correct. One minor thing, his byte array comparison implementation that he showed isn't a secure implementation as a comparison failure would exit the function early - i.e. it does not compare every element. Therefore timing analysis of the code could allow leakage of the data being compared to (e.g. first 6 of 20 bytes correct). For more info see http://codahale.com/a-lesson-in-timing-attacks/ Comparison functions used in security features should have a fixed execution time and path - so that a comparison failure executes in the same time that a successful comparison does. Excellent fun session though - great to see the extra videos too!

As ever a very humorous but serious, informative session from Barry, who coped remarkably well with various interruptions(which were excellent btw). Found this session very, very useful and am off to buy his book ;-) (Well was going to buy his book before the session anyway but Computer Manuals sold out). The UK Community is losing a great speaker and community lead, however I would like to wish Barry all the best of luck for his move Stateside.

Mostly stuff I was already aware of, but useful to have it all in one package. The highlight was obviously Barry himself, who's clearly a softie in more than one sense. Thanks to all those who embarrassed him on camera.Barry Dorrans - the man, the legend. Knowing in advance that he was going to be disrupted I went into this not expecting to pick much up. But Barry's a rockstar and doesn't let stuff like that faze him - he manfully continued to present in the face of typos (his) and corrections to his code (by Jon Skeet). But I did pick up plenty - where you want to encrypt, you can just use a hash cos they're the same thing. You can reuse encryption keys, you just have to wash them out first.

Aside from the spelling mistakes this was an excellent session on a difficult topic. Despite all the interruptions Barry managed to get through all the material and teach as well as entertain. A great way to end the day.

A great session which delivered in many ways despite the multiple external interruptions. Commedic value was a great value add to this session. Barry continued like a pro despite it all. Good luck at your new job Barry.

An entertaining and informative session. It has been 3 years since I've attended a lecture regarding ASP.NET / software security, I was unaware that using SHA1 was now suggested potentially unsafe! I had also not been salting my encryption as much as he suggested. Overall very useful, although also entertaining - with the mickey taking happening throughout the session! My only complaint was that I didn't get a free copy of his ASP.net security book! I was cold last night and needed something to burn on the fire.

Coped well with presentation hijacks :) Really good overview of crypto services in .NET framework... sure there was some subliminal messages in there me needing his book.
Barry did a good job considering the interruptions he had to handle. A great farewell to the only person to have spoken at every DDD event.
I'd give him six stars for skills - that he kept going through such heckling was amazing. To be fair, I only went to see what would happen to him, as I've seen this talk before.

Most entertaining session of the day, and the content was good too.

a little too much messing around so we missed alot of the session saying goodbye to barry!!!

I definitely liked this! Do I have to go Seattle for more of this??!!!

I've already covered most of this loads of times at Uni, and have seen Barrys presentation before, so it was not overly useful to me! It was great fun however and always good to have a refresher. I wish Barry good luck in Redmond!

Barry gave himself an excellent leaving presentation, he did very well except the spelling mistakes (haha) and still managed to put on an excellent session even though the screens were hijacked multiple times. Bought Barry's book. Makes good kindling.

An excellent session, improved even further by the various japes that occurred during it :-D

Hard to judge based on the interruptions, but he still managed to get through the entire presentation so I consider that to be job done! A wide range of topics covered and I certainly learned a few things. I might even go and buy the book. Maybe.

While Crystal Maze is self-evidently entertaining, the many interjections for MVP in-jokes wore a bit thin.

A little hard to concentrate because of all of the jokes flying around but I'm glad it was a good send off :-)

I'll miss Barry Dorrans

A bit side tracked by Barrys leaving do. This presentation was very similar to the one he gave at WebDDD so I didnt really learn anything new to be honest

Fun talk, again great presentation skills, but a lot of this wasn't new to me, so less useful - not really a criticism though. Very enjoyable, would def. look at buying the book as a result too.

Great send off. Well done Barry and all the other DDD team for making us laugh!

One of the highlight of the day, fun session on a hard to digest topic

The presentation itself was a very good overview which somehow ramped from simple hashes to complex handshake and encryption algorithms without getting anyone lost. Pity it was so frequently interrupted as it was fascinating, but it was also funny regardless.

A think he was side-tracked due to him going across the pond. I would have liked to have seen more usefull content. (e.g.) how to approach web site security like a bank would? Not just going through the menu of Encrption techniques. Show an example of why or when these techniques would/wouldn't be used in the real world. We are all concerned with security, and I really wanted to gain something from this session. I suppose I will just have to buy Barry's book and hope he's covered it there. Not to waffle on, Barry is a great and funny guy.

This was a very interesting session and made more enjoyable by the good luck/goodbye messages from his fellow speakers. I'm sure Barry will be missed.

Impressive that Barry kept going even though he kept getting interrupted. :)

Definitely the most fun session of the day, mainly due to the gags in between Barry's slides! It was a great end to the event. However, anyone trying to follow the content of his talk would have found it difficult.

I saw Barry last year as DDD, and was impressed with the tone and pace of the presentation, i left feeling empowered and entertained at the same time. I felt this time round that the presentation hadnt changed much, and not much though had gone into it. I appreciate Barry has been writing a book and look forward to buying my gran a copy to keep her warm this winter.(joke) It will be a shame to see Barry go to Seattle and therefore lose his spot at DDD hes a very talented guy (even if a little egocentric)

Actually, against the odds, Barry managed to get in some useful information on encryption. I'd have liked a bit more focus on the usage scenarios and less on the mechanics. And why so many references to WCF? It's not like anyone uses it...
Could have done with showing applications of the examples in the real world rather than just the factual examples.
Great presentation, I obtained a lot of knowledge from this session and it answered my questions around XML encryption

I also enjoyed this session. great introduction to .net cryptography. I found it very informative. Maybe a bit more content could have been given due to interuptions.

I think this session was the most entertaining one but it wasn't more useful since most of the time it presents coding rather than how we can use encryption in real world

Besides the interruptions, this session had a good level of beginner encryption knowledge. It is hard not to take something away from even such a light touch on the world. Obviously, it is hard to say "This must be done this way" as security is so personal to the project but some real world cases might have made the details more self explanatory.

Sorry, I found picking up the subject matter (which I was looking forward to) drowned out by the constant interuptions.

It is a shame Barry will not be able to speak at future events

Bye bye Barry, come back next year ;-) The interludes were funny.

So yes, I apologise for the interruptions – I had expected something, just not during the presentation. For those of you that tried hard to get something out of and failed I’ll be willing to do a series of blog posts, just tell me what you want in the comments and as I get organised in Redmond I’ll start a little blog series around the topic. I am a little confused by those who say they’ve seen it before – it was a brand new presentation. Weird!

Technorati Tags: #ddd8

On the importance of checking inputs

Barry Dorrans — Sun, 07 Feb 2010 12:29:26 GMT

So by now we should all know that using user input in a web page and spitting it back out again without encoding it is a bad idea and leads to cross site scripting. Of course some web sites don’t bother, which leads to hilarity such as the Toyota Ireland recall page, as demonstrated here.

All the HTML encoding in the world won’t save you if you’re not constraining and validating your input … (although Toyota aren’t even bothering with encoding – you can embed script in the r parameter for that page)

Technorati Tags: Input,Security,XSS

And this is why I’ll miss the UK .NET community

Barry Dorrans — Fri, 05 Feb 2010 08:38:08 GMT

A ~~tight little bunch of nits~~ … tightly nit bunch. I’d suggest if you’re waiting for the video of my DDD8 session you forget it. The good bits – the interruptions are below …

Plip's Book Advert.

Liam's Eulogy.

Colin Mackay's new source of presentations.

Craig Murphy insulting not one but two ex-UK community folks.

It is with a heavy heart, for various reasons, that I’m boarding the Microsoft big white taxi from Heathrow this afternoon. Obviously I’m going to miss family, but the UK .NET community has been part of my life for ~~too long~~ a very long time now and contains a great many friends and one soulless ginger northern git who I will miss a lot. Of course I’ll still be abusing them on twitter and I hope that the stuff I am working on will provide me with enough ammunition to speak at TechEd and any other conference that will have me … it’s a whole new continent of conference organisers who don’t know me at all and thus who don’t know what they’re letting themselves in for …

Technorati Tags: DDD8

Blue Lego isn’t all bad…

Barry Dorrans — Mon, 01 Feb 2010 11:24:32 GMT

A poor Adobe employee is throwing its toys out of the iPram right now over the lack of flash support on the iPad. However that little plug brick has one major advantage … for a change on the iPhone Apple appear to have done a reasonable job on security (although with their tight-lipped approach to discussing security it’s hard to tell). Adobe on the other hand, well … Acrobat is the major vector for drive by malware right now, Flash has its own problems and the Shockwave security update last month had users uninstalling old versions and then installing new versions manually. It’s not a little blue brick people, it’s a little blue condom …

Technorati Tags: Apple,Adobe

DDD8 – A Developer’s Guide to Encryption

Barry Dorrans — Sat, 30 Jan 2010 22:07:10 GMT

Today was DDD8, the last DDD event I can do because the rules exclude MS employees from speak and in 10 days time I will be in that category. I presented “A Developer’s Guide to Encryption” (PowerPoint/Sample Code) running through the main options developers have in .NET for cryptography. (The powerpoint deck should have all the spelling checks fixed. I swear those weren’t there on Wednesday when I finished … but I can’t see how anyone could have knobbled it, so I must have just been very fat fingered!)

I’m rather sad to leave DDD behind, I’ve presented at every one of the main DDD events, plus all the DDD Scotland events, the two WebDD and started and organised two DDD events in Ireland. However this does mean I have enough DDD speaker shirts to wear them to work for 2 weeks without having to wash anything …

I should apologise to anyone who expected a sane presentation from me. 10 minutes into the talk the screen was hijacked to have a community member reading poems and eulogising my loss. Jon Skeet’s spotting of code errors were side amusements! These interruptions became more frequent as time wore on culminating in a border of my book courtesy of Phil Winstanley. Then there were the t-shirts with a screen shot from my Crystal Maze appearance on some community members. Poor Ben Hall in the next room had problems as each time my screen was hijacked, his speakers got hijacked too. Then there was my book cover appearing in everyone’s presentations, except Gary Short’s who commented the community would be better off without me … Gosh, maybe I won’t miss these lot. nxtgen also presented me with a “nxtgen lifetime achievement award” which I will place on my shelf in my office once it arrives with the rest of my stuff.

Tweets of the occasion included

On another #ddd8 related note, @blowdart got a sendoff he won't soon forget. Even with therapy. :)

Major embarass @blowdart session!

An amazing start to the security presentation with the projector being taken over and appropriate @blowdart abuse dished out

Watching @blowdart burn his bridges during his final DDD talk. Hard to take topic seriously at the moment :)

Peter Curd has a little of an audience reaction on his blog. Ian has also written up the day, as has Richard.

The photos I took are on flickr, some of the highlights are below

Technorati Tags: DDD8,Cryptography,Encryption,.NET,C#

Book Errata – Erratum #1

Barry Dorrans — Wed, 27 Jan 2010 21:51:26 GMT

#1 of what will be doubtless many. Right now I’ve started to put things away, so I don’t know when I’ll have the ability to produce a proper errata to Wrox requirements, so rather than have you struggle I’m posting the correction(s) here.

Listing 10-11 on page 251 is incorrect, and if ran no X509 signing certificate will be extracted, although the XML signature will be verified. The code should be as follows:

public static bool VerifySignature(XmlDocument document, out X509Certificate signingCertificate)
{
    // Create a new SignedXml object and load
    // the signed XML document.
    SignedXml signedXml = new SignedXml(document);

    // Find the "Signature" node and create a new
    // XmlNodeList object.
    XmlNodeList nodeList = document.GetElementsByTagName("Signature");
    if (nodeList.Count <= 0)
    {
        throw new CryptographicException("No signature found.");
    }

    // Load the first <signature> node.
    signedXml.LoadXml((XmlElement)nodeList[0]);

    signingCertificate = null;

    // Extract the signing certificate.
    foreach (KeyInfoClause keyInfoClause in signedXml.KeyInfo)
    {
        if (!(keyInfoClause is KeyInfoX509Data))
        {
            continue;
        }

        KeyInfoX509Data keyInfoX509Data = keyInfoClause as KeyInfoX509Data;
        if ((keyInfoX509Data.Certificates != null) && (keyInfoX509Data.Certificates.Count == 1))
        {
            signingCertificate = (X509Certificate)keyInfoX509Data.Certificates[0];
        }
    }
    
    // Check the signature.
    return signedXml.CheckSignature();
}

Apologies for that, I can only blame my fat fingers as I cut and pasted into Word.

(I’ve edited the title because Jon Skeet {yes, that Jon Skeet} is a pedant).

Technorati Tags: Securing ASP.NET,Errata,Wrox

Beginning ASP.NET Security Table of Contents

Barry Dorrans — Wed, 27 Jan 2010 16:56:31 GMT

A few people have been asking for the table of contents for Beginning ASP.NET Security so here it is;

CHAPTER 1: WHY WEB SECURITY MATTERS
- Anatomy of an Attack
- Risks and Rewards
- Building Security from the Ground Up
  - Defense in Depth
  - Never Trust Input
  - Fail Gracefully
  - Watch for Attacks
  - Use Least Privilege
  - Firewalls and Cryptography Are Not a Panacea
  - Security Should Be Your Default State
  - Code Defensively
- The OWASP Top Ten
- Moving Forward
- Checklists
CHAPTER 2: HOW THE WEB WORKS
- Examining HTTP
  - Requesting a Resource
  - Responding to a Request
  - Sniffing HTTP Requests and Responses
- Understanding HTML Forms
- Examining How ASP.NET Works
  - Understanding How ASP.NET Events Work
  - Examining the ASP.NET Pipeline
  - Writing HTTP Modules
- Summary
CHAPTER 3: SAFELY ACCEPTING USER INPUT
- Defining Input
- Dealing with Input Safely
  - Echoing User Input Safely
  - Mitigating Against XSS
  - The Microsoft Anti-XSS Library
    - The Security Run-time Engine
  - Constraining Input
  - Protecting Cookies
- Validating Form Input
  - Validation Controls
  - Standard ASP.NET Validation Controls
    - Using the RequiredFieldValidator
    - Using the RangeValidator
    - Using the RegularExpressionValidator
    - Using the CompareValidator
    - Using the CustomValidator
    - Validation Groups
- A Checklist for Handling Input
CHAPTER 4: USING QUERY STRINGS, FORM FIELDS, EVENTS, AND BROWSER INFORMATION
- Using the Right Input Type
- Query Strings
- Form Fields
- Request Forgery and How to Avoid It
  - Mitigating Against CSRF
- Protecting ASP.NET Events
- Avoiding Mistakes with Browser Information
- A Checklist for Query Strings, Forms, Events, and Browser Information
CHAPTER 5: CONTROLLING INFORMATION
- Controlling ViewState
  - Validating ViewState
  - Encrypting ViewState
  - Protecting Against ViewState One-Click Attacks
  - Removing ViewState from the Client Page
  - Disabling Browser Caching
- Error Handling and Logging
  - Improving Your Error Handling
  - Watching for Special Exceptions
  - Logging Errors and Monitoring Your Application
  - Using the Windows Event Log
  - Using Email to Log Events
  - Using ASP.NET Tracing
  - Using Performance Counters
  - Using WMI Events
  - Another Alternative: Logging Frameworks
- Limiting Search Engines
  - Controlling Robots with a Metatag
  - Controlling Robots with robots.txt
- Protecting Passwords in Config Files
- A Checklist for Query Strings, Forms, Events and Browser Information
CHAPTER 6: KEEPING SECRETS SECRET — HASHING AND ENCRYPTION
- Protecting Integrity with Hashing
  - Choosing a Hashing Algorithm
  - Protecting Passwords with Hashing
    - Salting Passwords
    - Generating Secure Random Numbers
- Encrypting Data
  - Understanding Symmetric Encryption
    - Protecting Data with Symmetric Encryption
  - Sharing Secrets with Asymmetric Encryption
    - Using Asymmetric Encryption without Certificates
    - Using Certificates for Asymmetric Encryption
    - Getting a Certificate
  - Using the Windows DPAPI
- A Checklist for Encryption
CHAPTER 7: ADDING USERNAMES AND PASSWORDS
- Authentication and Authorization
- Discovering Your Own Identity
- Adding Authentication in ASP.NET
  - Using Forms Authentication
    - Configuring Forms Authentication
    - Using SQL as a Membership Store
    - Creating Users
    - Examining How Users Are Stored
    - Configuring the Membership Settings
    - Creating Users Programmatically
    - Supporting Password Changes and Resets
  - Windows Authentication
    - Configuring IIS for Windows Authentication
    - Impersonation with Windows Authentication
- Authorization in ASP.NET
  - Examining <allow> and <deny>
  - Role-Based Authorization
    - Configuring Roles with Forms Based Authentication
    - Using the Configuration Tools to Manage Roles
    - Managing Roles Programmatically
    - Managing Role Members Programmatically
    - Roles with Windows Authentication
  - Limiting Access to Files and Folders
  - Checking Users and Roles Programmatically
    - Securing Object References
- A Checklist for Authentication and Authorization
CHAPTER 8: SECURELY ACCESSING DATABASES
- Writing Bad Code: Demonstrating SQL Injection
- Fixing the Vulnerability
- More Security for SQL Server
  - Connecting Without Passwords
    - SQL Permissions
    - Adding a User to a Database
    - Managing SQL Permissions
    - Groups and Roles
    - Least Privilege Accounts
  - Using Views
  - SQL Express User Instances
  - Drawbacks of the VS Built-in Web Server
  - Dynamic SQL Stored Procedures
  - Using SQL Encryption
    - Encrypting by Pass Phrase
    - SQL Symmetric Encryption
    - SQL Asymmetric Encryption
    - Calculating Hashes and HMACs in SQL
- A Checklist for Securely Accessing Databases
CHAPTER 9: USING THE FILE SYSTEM
- Accessing Existing Files Safely
  - Making Static Files Secure
    - Checking That Your Application Can Access Files
  - Making a File Downloadable and Setting Its Name
  - Adding Further Checks to File Access
    - Adding Role Checks
    - Anti-Leeching Checks
  - Accessing Files on a Remote System
- Creating Files Safely
- Handling User Uploads
  - Using the File Upload Control
- A Checklist for Securely Accessing Files
CHAPTER 10: SECURING XML
- Validating XML
  - Well-Formed XML
  - Valid XML
  - XML Parsers
- Querying XML
  - Avoiding XPath Injection
- Securing XML Documents
  - Encrypting XML Documents
    - Using a Symmetric Encryption Key with XML
    - Using an Asymmetric Key Pair to Encrypt and Decrypt XML
    - Using an X509 Certifi cate to Encrypt and Decrypt XML
  - Signing XML Documents
- A Checklist for XML
CHAPTER 11: SHARING DATA WITH WINDOWS COMMUNICATION FOUNDATION
- Creating and Consuming WCF Services
- Security and Privacy with WCF
  - Transport Security
  - Message Security
  - Mixed Mode
  - Selecting the Security Mode
  - Choosing the Client Credentials
- Adding Security to an Internet Service
- Signing Messages with WCF
- Logging and Auditing in WCF
- Validating Parameters Using Inspectors
- Using Message Inspectors
- Throwing Errors in WCF
- A Checklist for Securing WCF
CHAPTER 12: SECURING RICH INTERNET APPLICATIONS=
- RIA Architecture
- Security in Ajax Applications
  - The XMLHttpRequest Object
  - The Ajax Same Origin Policy
  - The Microsoft ASP.NET Ajax Framework
    - Examining the UpdatePanel
    - Examining the ScriptManager
    - Security Considerations with UpdatePanel and ScriptManager
- Security in Silverlight Applications
  - Understanding the CoreCLR Security Model
  - Using the HTML Bridge
    - Controlling Access to the HTML DOM
    - Exposing Silverlight Classes and Members to the DOM
  - Accessing the Local File System
  - Using Cryptography in Silverlight
  - Accessing the Web and Web Services with Silverlight
- Using ASP.NET Authentication and Authorization in Ajax and Silverlight
- A Checklist for Securing Ajax and Silverlight
CHAPTER 13: UNDERSTANDING CODE ACCESS SECURITY
- Understanding Code Access Security
  - Using ASP.NET Trust Levels
    - Demanding Minimum CAS Permissions
    - Asking and Checking for CAS Permissions
    - Testing Your Application under a New Trust Level
    - Using the Global Assembly Cache to Run Code Under Full Trust
    - .NET 4 Changes for Trust and ASP.NET
- A Checklist for Code not Under Full Trust
CHAPTER 14: SECURING INTERNET INFORMATION SERVER (IIS)
- Installing and Configuring IIS7
  - IIS Role Services
    - Removing Global Features for an Individual Web Site
  - Creating and Configuring Application Pools
  - Configuring Trust Levels in IIS
    - Locking Trust Levels
    - Creating Custom Trust Levels
- Filtering Requests
  - Filtering Double-Encoded Requests
  - Filtering Requests with Non-ASCII Characters
  - Filtering Requests Based on File Extension
  - Filtering Requests Based on Request Size
  - Filtering Requests Based on HTTP Verbs
  - Filtering Requests Based on URL Sequences
  - Filtering Requests Based on Request Segments
  - Filtering Requests Based on a Request Header
- Status Codes Returned to Denied Requests
- Using Log Parser to Mine IIS Log Files
- Using Certificates
  - Requesting an SSL Certificate
  - Configuring a Site to Use HTTPS
  - Setting up a Test Certification Authority
- A Checklist for Securing Internet Information Server (IIS)
CHAPTER 15: THIRD-PARTY AUTHENTICATION
- A Brief History of Federated Identity
- Using the Windows Identity Foundation to accept SAML and Information Cards
  - Creating a “Claims-Aware” Web Site
  - Accepting Information Cards
  - Working with a Claims Identity
- Using OpenID with Your Web Site
- Using Windows Live ID with Your Web Site
- A Strategy for Integrating Third-Party Authentication with Forms Authentication
- Summary
CHAPTER 16: SECURE DEVELOPMENT WITH THE ASP.NET MVC FRAMEWORK
- MVC Input and Output
  - Protecting Yourself Against XSS
  - Protecting an MVC Application Against CSRF
  - Securing Model Binding
  - Providing Validation for and Error Messages from Your Model
- Authentication and Authorization with ASP.NET MVC
  - Authorizing Actions and Controllers
  - Protecting Public Controller Methods
  - Discovering the Current User
  - Customizing Authorization with an Authorization Filter
- Error Handling with ASP.NET MVC
- A Checklist for Secure Development with the ASP.NET MVC Framework
INDEX

I’ve cut and pasted this from proof PDFs, so any weird formatting errors are mine as I tried to turn this into HTML.

Technorati Tags: Beginning ASP.NET Security,Book