Background reading for DevDays 2004
In preparation for my presentation at Microsoft DevDays 2004 in Pittsburgh, I have been reading “Writing Secure Code” by Michael Howard and David LeBlanc (which a past colleague, David Williams, pointed me towards). For those of us living in the business application and web application realm, a buffer overrun is something we read about on security bulletins. It was fascinating to read how it all works and how to overcome it. Some great code examples - thoroughly interesting. But don't leave thinking that this book is only for those dealing with unmanaged code ... !
It discusses web application threats including a detailed discussion of SQL injections, cross site scripting attacks, hidden field tampering and also canonical issues. There is also a chapter on securing .NET code which includes requesting permissions programmatically which most people probably don't even know about. It also details modeling threats and determining your vulnerabilities before and during application development.
Microsoft also offers the following freely available resources: