December 2004 - Posts
Some interesting reads I found today on secure coding:
Secure programmer: Call components safely [By way of Dana Epp]
David Wheeler has released a new article on how to call components safely. He posted this abstract on SCL this morning:
Application programs typically make calls to other components, such as the underlying operating system, database systems, reusable libraries, Internet services (like DNS), Web services, and so on. This article explains how to prevent attackers from exploiting those calls to other components by discussing the use of only secure components, passing only valid data, making sure the data will be correctly interpreted, checking return values and exceptions, and protecting data as it flows between applications and components.
Sandboxing Components for Impersonation
Michele Leroux Bustamante talks about separating high privileged code in ASP.NET applications using code access security, impersonation, and various other lockdown techniques. Check out her article on TheServerSide.net.
I wish everyone a safe and happy holiday season! Enjoy the time with family and friends!
Robert Hurlbut
Here are some notable .NET events happening in the Boston area for January:
Downtown Boston Beantown.NET User Group, January 6, 5:30-7:30, featuring Richard Hale Shaw on "Implementing Patterns in C#". You can find more information from Sam Gentile, who leads the Beantown group.
Boston .NET User Group, January 12, 5:00-6:30, featuring Michael Stiefel on "Programming Web Services With Microsoft's Web Service Enhancements 2.0" Also, that night, 6:30-, featuring Richard Hale Shaw on "Inside the .NET Framework 2.0". You can find more information about both presentations at the website. Chris Pels is the leader.
Boston Geek Dinner, January 18, 6:30-, at Boston Beer Works in Downtown Boston. For more details, check with Jason Haley, the guy who organizes these (and does a great job!).
And, of course, the first Boston Code Brew, on January 19, 6:00-.
It looks to be a great month of .NET!
I am pleased to announce and give an update on the new group I and a few others have been forming since November. On January 19, 2005, we will have our first Boston Code Brew meeting. What is this group? Here is a description from our new Yahoo group (codebrew_boston):
A group of developers in the Boston area that get together and discuss various topics about Patterns, .NET, SQL, and anything else that interests us.
This is based on Bill Evjen's idea of a Code Brew (see http://geekswithblogs.net/evjen/archive/2004/11/05/14451.aspx). Here is his definition:
* A Code Brew consists of a small group of peers (4-10 to be effective)
* Meet with laptops ready, software ready and an understanding that each person is going to want to take a 10-30 minute lead with the group
* Each lead (in turn) works through either a work-through demo (which everyone will work through as well), a problem they are having (which others will try to help solve through either advice or samples), a product demo (either something someone built or something cool that was found which you feel others would benefit from)
This is an evolution of the ideas I had over a year ago when I asked the question about putting together an .NET Patterns study group. I said:
"... I am wondering if there is interest among developers (in particular, .NET developers) for .NET Patterns study groups as there was with the GoF book? What kind of group would this be? At some of the User Groups I attend, I see more “presentation” style going on rather than “discussion”, so I don't think that would be the ideal place. Granted, the interest may be limited mostly to the architecture wonks, but I would think many developers would benefit from groups like these."
I see the Code Brew groups satisfying this goal and more. I believe the purpose and intent of a Code Brew group is not to take away from the existing .NET User Groups (i.e. INETA groups), but instead to serve as an extension of these groups by providing informal discussions, learning and sharing, and allowing everyone to contribute. In fact, the difference between User Groups and Code Brew Groups is that everyone in a Code Brew is expected and/or required to contribute. That is its nature and format.
As I mentioned, the first Boston Code Brew meeting will be January 19 at 6:00 pm-?? at the offices of Airpath Wireless, Inc. in Waltham, MA (address and directions will be provided later and at our codebrew_boston group site). We may have future meetings here or at restaurants or wherever it makes sense to have these informal meetings.
I would like to personally thank several people who have been helpful and supportive in putting this group together:
- Jason Haley in reminding me of my post from a year ago and saying he wanted this kind of group
- Aaron Weiker for also wanting this kind of group, getting the codebrew_boston Yahoo group started, and helping with arrangements at Airpath
- Ernie Booth for also wanting this kind of group, and along with Jason and Aaron above, providing an ear for bouncing off ideas
- Kevin Hegg for suggesting I look at Bill's Code Brew idea and expanding my thoughts on a Patterns group to include many other topics
- Airpath for hosting our first group meeting
- Chris Pels (one of several local INETA representatives and the leader of the Boston .NET User Group) and Thom Robbins for their support, encouragement and suggestions for format and locations
Stay tuned for more information and topics as we get closer to the first meeting.
(Purely personal)
One of my sons (age 12) was in a school bus crash this morning during the snow storm here:
http://www.thebostonchannel.com/news/4009977/detail.html
Fortunately, he is OK. Still, it is something that shakes you up a bit.
(Cross-posted)
As mentioned by Bob Beauchemin, there was a great night of Service Broker last week as part of the Guerilla SQL Server 2005. Dan Sullivan presented "Night of the Service Broker" with members of the SQL Server Service Broker team. Sounds like a fun opportunity to talk about one my favorite current topics!
As Bob also mentions, a new SQL Server Service Broker Developer Spot was created by Dan. According to Bob:
The site will host discussion forums, articles, tutorials, and also host cooperative development of some interesting service broker apps. It's open now, and they'll be sample applications (including the Service Broker client object model, courtesy of the team) up there shortly.
Sounds great! I have already created an account. Take a look, as I am sure this will evolve into a great resource!
Julie has posted the list of new additions to the INETA Speaker Bureau for 2005:
Congratulations to all!
[By way of Valery Pryamikov]
Gary McGraw writes today in sc-l mailing list:
The sixth article in my IEEE Security & Privacy magazine series called
"Building Security In" is on Penetration Testing. This article was
co-authored by Brad Arkin (symantec) and Scott Stender. As a service to
the community, we're making advance copies available here:
http://www.cigital.com/papers/download/bsi6-pentest.pdf
I am sure many of you already subscribe to S&P. If you don't yet, you
should...check out http://www.computer.org/security/
Previous articles in the series:
http://www.cigital.com/papers/download/bsi5-static.pdf
http://www.cigital.com/papers/download/misuse-bp.pdf
http://www.cigital.com/papers/download/risk-analysis.pdf
http://www.cigital.com/papers/download/j2oth-qxd.pdf
http://www.cigital.com/papers/download/software-security-gem.pdf
And, Dana Epp cites the same article and a part that really sums up the article:
However, it’s unreasonable to verify that a negative doesn’t exist by merely enumerating actions with the intention to produce a fault, reporting if and under which circumstances the fault occurs. If "negative" tests don't uncover any faults, we've only proven that no faults occur under particular test conditions; by no means have we proven that no faults exist. When applied to security testing, where the lack of a security vulnerability is the negative we're interested in, this means that passing a software penetration test provides very little assurance that an application is immune to attack. One of the main problems with today's most common approaches to penetration testing is misunderstanding this subtle point.
Timely, and indpendent of the article, I have submitted a proposal to talk on Penetration Testing with ASP.NET Applications at Code Camp III.
Thom Robbins has mentioned that Code Camp III: The Madness will be returning to Microsoft's Waltham, MA office the weekend of March 12-13th. There is a call for speakers.
I was part of Code Camp II, and it was a great success (with at least 400 people attending). This is a free conference with lots of great content in an informal setting.
I am already putting together some ideas for new talks for this conference. Stay tuned.
Over the last couple of nights I had attended and spoke at the Boston C# User Group (on Tuesday) and the Boston .NET User Group (Wednesday). Each meeting featured a holiday potluck dinner at the end.
I spoke to the Boston C# Group on Development Strategies in a more interactive/discussion format. I presented information on Test Driven Development (TDD) with NUnit and TestDriven.NET, Developing as a Non-Admin, Developing with Virtual Machines, and Code Generation. This was a whirlwind tour with none of the topics being comprehensive, but instead a quick glance at some concepts, tools, and demo code to get enough of an idea about each. The best part was the discussions that resulted for each in how to effectively use and apply the knowledge in everyday development situations.
Speaking of running and developing as a non-admin, I was asked to give my list of steps to set up your machine for ASP.NET development as a non-admin. You can get my slides and code for the chalk talk I did at Code Camp II on this same subject, and/or look at G. Andrew Duthie's recent post and my comment. Another interesting find along these lines that also came out on Tuesday is Valery Pryamikov's post and tools for running as admin but using a non-admin explorer shell. I am looking forward to trying this.
I really like the interactive/discussion format, and got a lot of good feedback about it. Something like this will be the basis of a new study group I and several others have been forming. I will blog more about this soon.
At the Boston .NET Group, I wasn't planning to speak, but Chris Pels and John Watson were talking about their experiences at this year's XML DevCon, and they asked me to give some of my impressions. I still think this was one of the most fun conferences of the year for me, in terms of interaction, discussions, opportunities to meet some great people, and learn what others are doing in the XML world.
Of course, at both holiday meetings, the food was great! Unfortunately, though, we didn't have anything like this. -)
More Posts
Next page »