Today is 'Security Day' with the esteemed Keith Brown leading the class. We talked about lots of WCF-Security stuff, and also a lot about web security.
Some of the more interesting web security things were:
- The Code Room - Vegas starring Keith Brown et. all. It is a fun little poke at security on web sites and shows session hijacking and SQL injection.
- Keith has an excellent set of tutorials about input validation located at http://pluralsight.com/wiki/default.aspx/Keith/InputValidationModules.html. All developers should be using these techniques to improve web site security!
- Integer overflow in managed code exists in C#!!!! This suprises a lot of people (myself included). Keith recommended turning on checking at a project level, and use the 'unchecked' statment if you really need to 'squeeze' performance and bypass the overflow/underflow checking.
- I got Keith to sign my copy of The .NET Developer's Guide to Windows Security (ok, a bit nerdy I admit)
- The Cookies and tamper detection module is excellent!
- We did a lab on input validation using regular expressions. Here is a good link to the PAG site on common regular expressions. Remember, all user input is EVIL and NOT TO BE TRUSTED!
- Manageability (instrumentation) often gets overlooked in apps because we're too busy building features. However, when it comes time to debug, it is difficult to impossible to quickly find the problem. The .Net Framework makes it trivial to write to the event log and Windows performance counters and there is no reason not to do it!
My brain is full for today. Time to relax for a bit and get ready for days 4 and 5.
jk
No comments:
Post a Comment