December 2008 Entries
Both nxtgen and Craig Murphy have been catching up on their podcasts. nxtgen have published some of their podcasts from the PDC interviewing Chris Anderson and Don Box and Tim Sneath and Mike Swanson. Craig has been busy editing his 12 podcasts of Christmas; so far he has01 - Kyle Baley on ALT.NET and Brownfield Development in .NET02 - Aaron Parker on Microsoft Application Virtualisation03 - Caroline Bucklow from IT4Communities: charitable software development04 - Eileen Brown on IT Professionals, TechNet, Women In Technology & Girl Geek Dinners Worse he has found the podcast in the pub from IMTC this year....
Following up AntiXSS Mark Curphey also announces the first public release of CAT.NET. CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team do thousands of code reviews for the internal line of business applications and for our external customers and have provided a...
Those of us using FxCop or Visual Studio's code analysis are well used to seeing the plaintive plea to strong name our assemblies. Strong names provide versioning and verification as well as allowing assemblies to be placed into the global assembly cache. They are generally a good thing. But there's a problem. Like any type of code or message signing they require a keyset and that keyset should be kept secret. What happens in open source projects or in corporate environments? Ideally the strong naming should become part of the build process; but that requires the key files to be...
As part of the book currently under way I cover Cross Site Request Forgery, a rather fun exploit that numerous web sites have been vulnerable to. In September of this year researchers from Princeton announced the discovery of four major web sites where were susceptible which included ING Direct, a vulnerability which would allow an attacker to transfer money between accounts. CSRF works via persistent authentication. When you logon to a web site an authentication cookie is left on your machine (or if you're using HTTP Authentication your browser remembers and sends the username and password with each request). An...
For the last copy of weeks I've been playing with the new version of Microsoft's AntiXSS package. AntiXSS provides more encoding methods and better implementations of the base HtmlEncode and UrlEncode that comes with the framework.
However there's something new this time around - the Security Runtime Engine. This is an HTTP module which will automatically provide encoding for your legacy apps and act as a second line of defence if you forget to encode your outputs.
It was released on codeplex last night; you can get v3 beta, installers and source from http://www.codeplex.com/AntiXSS - it's well work looking at, they've even...
The Microsoft SDL website has been updated with three new pages the SDL Optimization Model page from which you can download the SDL Optimisation Model the SDL Pro Network page linking to your SDL Pro Network webpage the SDL Threat Modelling Tool page from which you can download the SDL Threat Modelling Tool v3 beta. Having seen the Threat Modelling Tool at the MVP Summit last year I've been looking forward to this one; it's improved a lot. It now uses Visio under the hood for a lovely interface, automation and guidance in your modelling as well as a...