Robert Hurlbut's Blog

I will be speaking at the New England Code Camp 8: Rise of the Silverlight Surfer at the Microsoft offices in Waltham, MA on September 29-30. I will be speaking on the following security topics:

• Penetration Testing of Web Applications
• Secure Code Reviews: What are the ingredients? 

 There is already a great lineup of talks here. Also, Chris Bowen mentioned there will be a Saturday Evening Geek Event at 7:00 pm at the Weston Hotel in Waltham (a tradition that started way back in Code Camp II). This will be my 7th New England Code Camp to be a speaker and I am really looking forward to it. If you are in the area, go register and see you this weekend!

I will be speaking on the topic: "Web Services Security: Where are we now?" this coming Wednesday, September 12, 2007, at the Boston .NET Users Group meeting at Microsoft, Waltham, MA. There has been some interesting talk lately, including this years BlackHat USA 2007 in July on the current state of web services security. I will be covering the common web services attacks developers should know about as well as current information on WS-* security, REST, and other mitigation measures. If you are in the area, stop on by, but first go register at the user group site to let them know you will be attending.

I was in a user group meeting recently with Patrick Hynds speaking about Identity and presenting demos on Windows CardSpace. Someone in the audience mentioned it would be great to see Microsoft start using this for some of their websites (I agree!). Well, here it is: LiveID + CardSpace.

Also, take a look at the latest samples for WCF, WF, and CardSpace for VS 2008 Beta 2. 

I have been mostly silent for the past year as I have been busy working with a client in Western Massachusetts on a very interesting ASP.NET 2.0 project (using C# 2.0). I had the pleasure of working with one of the best teams I have seen in my career -- all were bright, willing to learn, and up to the daunting task of converting skills from pre .NET right into .NET 2.0 and object-oriented programming. I taught a course to the company earlier last year and they asked me to come and help with the architecture and final development of a very time-critical ASP.NET application. I am very, very happy to say they met their goals with the project going live last week and right on target! In the end they have a very robust, highly maintainable, flexible, and extensible architecture that met their immediate needs and certainly future needs as well.

One of the most impressive things to me was how the team caught on to designing the system with Domain Driven Design (DDD) by thinking of the business domain and translating that into objects that made sense. Also, Test Driven Development (TDD) with NUnit and TestDriven.NET (also, the testing tools that are part of ReSharper) was shown and it was caught well by the team, using Dependency Injection and other principles of DDD to test the domain without the use of the database (of course, there was some testing of the database at unit level as well, but the core objects were tested without the need of a database). Instead of building a traditional data-centric application as was most familiar, they built more of an object/domain centric application that as I said is robust and highly maintainable, flexible, and extensible. Of course, I also helped with making sure the application was secure and I put together a nice web services/SOA solution using WCF I think will grow with the company. It certainly was a great opportunity, and I am very proud to have been part of the team's accomplishments.

Now, on to other things. I look to continue speaking, training, performing secure code audits and security testing, and working on similar projects as this one. I am currently available for contract and/or other opportunities. You can contact me through my web site or the contact page of this blog if I may be of assistance.
 

An old favorite of mine, Jack Benny, used to be 39 forever. Today, I turned that age. Time flies ... 

I have posted my slides on my site for last week's talk on Introduction to Windows CardSpaces at the Southern CT .NET Users Group meeting on June 12.

It was a good meeting, but there were a lot of questions about how well will this technology be adopted. Unfortunately, at the moment, it is still a sparse number of sites that are using the technology (see the sites http://sandbox.netfx3.com/ and http://www.identityblog.com for a couple of examples that are using CardSpace). One hinderence may be lack of tools and some documentation for uses with ASP.NET and other environments.

Check out Dominick Baier's latest posts on updated ASP.NET controls for CardSpace and code to get CardSpace tokens programmatically. Great stuff!

I will be speaking at the Southern Connecticut .NET User Group on June 12 from 6:00 pm to 8:00 pm. You can get directions, etc. from their web site here. Here is the abstract:

location:

Windows CardSpace enables users to provide their digital identities in a familiar, secure and easy way. It allows the user to use a variety of virtual cards to identify themselves, each retrieving data from an identity provider. This talk will cover an introduction to identity management and related issues, explore the architecture of CardSpace, and will demonstrate how to enable your Web site to receive identity cards.

Over the weekend at the New England Code Camp 7 conference, I mentioned briefly about some of the potential security problems with AJAX. Dana Epp has a post about the new class of attack vectors using Javascript Hijacking against AJAX, and ultimately, ATLAS, applications. He points to a research paper by Fortify Software that details the vulnerabilities, how the attacks could be performed, and ways to mitigate against them.

Be sure to read Dana's post and read the research paper. Consider Dana's post and warning to make mitigating against this type of threat as part of your own company's threat model process.

I have posted the slide decks and demo code I used for my talks this past weekend at the New England Code Camp 7 - Deer in Headlights conference. You can find the files here.

My talks were:

• How to Perform a Secure Code Review
• Protecting Data with SQL Server 2005

Both talks went really well, I think. Thanks to everyone who attended the talks -- there were very good questions and I was very encouraged that it seemed many caught the "secure development" bug as a result of the talks.

With the SQL Server 2005 talk, I went through some sample scripts that have been very useful to me in storing encrypted data as well as searching encrypted data (based on the great work and information found at Laurentiu Cristofor's blog and Raul Garcia's blog).

Special thanks to Rudolf Araujo's (from Foundstone and fellow Microsoft Security Developer MVP) for use of the Threat Modeling slides in my Secure Code Review talk. One reference I didn't mention at the time, but have since included in my slide deck, is the book The Art of Software Security Assessment by Mark Dowd, John McDonald, and Justin Schuh -- a fantastic book for secure code reviewers that is destined to be a classic.

Also, while I am at it, and you are looking for a secure code reviewier, please consider my company. As you look for reviewers, also be sure to read Mark Curphey's (also another Microsoft Security Developer MVP) excellent post on Top Ten Tips for Hiring Security Code Reviewers before you hire anyone.

I found a very encouraging announcement today:

SANS has created the new Software Security Institute (SSI) (link) which is a exam program designed to ensure that software programmers demonstrate proper security techniques when writing code.

Here are the project goals:

• Allow employers to rate their programmers on security skills so they can be confident that every project has at least one "security master" and all of their programmers understand the common errors and how to avoid them.
• Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier.
• Allow programmers to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps.
• Allow employers to evaluate job candidates and potential consultants on their secure programming skills and knowledge.
• Provide incentive for universities to include secure coding in required computer science, engineering, and programming courses.
• Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in similar regions around the world.

I have been looking for something like this for quite some time. There have been several options available for certification in network security, but as far as I know, no certifications were available for software security. This is great news!

The first set of tests will be delivered in Washington, DC in August, and then much wider after that through 2007. At the moment, they have tests for the disciplines of C and C++, Java and J2EE, and plan for Perl and PHP, .NET and ASP.NET.

See more information about the program and press releases here.