Robert Hurlbut's Blog

[By way of Dana Epp]

The Web Application Security Consortium has released a guest article written by Jeremiah Grossman (CTO of WhiteHat Security) on "The 80/20 Rule for Web Application Security: Increase your security without touching the source code".

In this article Jeremiah discusses ways to make your website more difficult to exploit with little effort. It's a short, but interesting read.

His basic points include:

• Supress information in default server error messages to prevent information disclosure. Give to much info, and an attacker will use it against you!
  
• Remove or protect hidden files and directories. (in the face of the Google Hacking books and stuff.. this has never been more important)
  
• Use web server security add-ons like IIS Lockdown, URL Scan, mod_security, and SecureIIS. This should be a no brainer.
  
• Add httpOnly flag to sensitive cookies to reduce the risk of cross scripting attacks (only works on IE currently)

All good points, and easy to do. If you work on web apps, you should take a moment to read this article.

This looks like a good article and a welcome addition to knowing how best to secure your web site.

Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks
Dino summarizes the most common types of Web attacks and describes how Web developers can use built-in features of ASP.NET to increase security.

Peter Provost picked up on my security note about Enterprise Library 2005 that you must install it to another location than Program Files for developing as a non-administrator (i.e. using a limited user account).

He also mentioned that some of the NUnit tests will not work unless you are testing as an administrator. This is very unfortunate, and Peter mentions he wished they had dealt with those exceptions appropriately. He offers some solutions, and they are good, but I hope this will be a clear call to the team for future versions to consider all aspects of developing as a non-administrator, including development as well as all unit tests.

As you may or may not have heard, the long awaited release of the Patterns and Practices Enterprise Library came out today. Go fetch!

Security Note: If you are running and developing as a non-administrator (as you should be), you should install this to another folder other than the default location under Program Files. Otherwise, when you try to fire up any of the projects with your non-administrator account, you will get an error saying files couldn't be written to that location (C:\Program Files\ is a restricted area for regular users). My solution was to use MakeMeAdmin and put the files under its own separate location. This gave me owner right to the folder as well as making sure I am not writing to a protected area.

Keith Pleas wrote an interesting article for MSDN: Guidance on Patterns & Practices: Security [by way of Julie Lerman]

In the article, Keith talks about some of the things I have mentioned in my own blog before:

There are too many samples out there with bad security practices that have become production code in one form or another.

or, as Keith states it:

"A familiar aphorism states that "If all you've got is a hammer, everything looks like a nail." Well then, is it any surprise that a lot of production Web applications look like the demo samples? What is clearly needed is a new generation of real-world sample applications that are designed and built using the "best practices" not just for security (our focus here), but for robustness, scalability, testing, and deployment; in fact, of all phases of the software development lifecycle. It is also important to recognize that this guidance will improve over time until it ultimately becomes part of the underlying platform." 

In the article, he mentions we have bad samples and very large books on secure practices with very little in between. Most new developers (and some seasoned developers in a hurry) will pick up the sample, marvel at how simple it is, tweak it a little, and deploy it as a production application. Keith offers the current Patterns and Practices Group's Enterprise Development Reference Architecture (EDRA) project (previously known as "Shadowfax") as a sample that tries to provide some security best practices examples. I haven't looked at this in awhile, but what I remember seeing was pretty good.

What I liked best about the article was Keith's analysis of the previous and existing samples offered by Microsoft. While not as thorough as I would have liked, it was a good example that all developers should get in the habit of practicing. Anytime you are tempted to use a sample application for anything other than a learning process, be sure to examine it very carefully for security holes. In fact, examine your own code regularly and with others. You owe yourself and your users nothing less.

In about 25 minutes from my writing this, the .NET Celebrity Auction for Aceh Aid will start at 9:00 AM EST.

Here is the Ebay link:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5552696499

[From Julie Lerman's Blog]

25 30 of the top trainers and consultants in the .NET community will be auctioning off one hour each of their consulting time in a big EBay auction ...

The auction is to benefit Aceh Aid at IDEP who is doing amazing disaster recovery work in Aceh Province Sumatra. All of the money goes DIRECTLY to helping the victims since Aceh Aid at IDEP is a local organization in Sumatra.

I noticed this last night and on Brad Abrams' blog. This looks to be really good (especially for CLR/Rotor enthusiasts like myself). I would love to go, but my plate is getting full with some new consulting work coming up (nice problem to have!). But, I already got my friend Ernie interested in going. This should be a great few days!

[From Brad Abrams]

I wanted to extend Jim Miller’s innovation to attend the CLR compiler’s dev lab…

From: Jim Miller (.NET)
Sent: Thursday, January 20, 2005 5:50 PM
To: DOTNET-LANGUAGE-DEVS@DISCUSS.MICROSOFT.COM
Subject: Invitation to Developer Lab

I’ve been asked to forward the following invitation.  I’m sorry for the late notice … I fumbled the ball at the end of last year and didn’t realize this hadn’t already gone out…

I do urge you to consider attending if you possibly can.  We have a good deal of information we’d like to pass along, and we’d like to use it as an opportunity to gather comments on some key decisions that still remain before we ship Whidbey.

--Jim

The Developer Evangelism and Common Language Runtime teams of Microsoft will be holding a Whidbey Compiler Developer Lab on the Microsoft Redmond Campus, February 7-9th, 2005.  The Developer Lab provides you the opportunity to find out what new features are being included in Whidbey directly from the product team.  The lab still has a few openings.  If you are interested in attending, please send the following information to Jeff Sandquist

• Name of your company or organization.
• Name of attendees.
• Contact information for attendees (e-mail, physical address, and phone).
• Copy of signed NDA (if you don't have one, we'll provide one at the lab).

                                                                                                                                                                                          
In the lab, you will have the opportunity to get familiar with the technology through presentations and work with the latest builds of Whidbey. You will also be able to provide feedback to the product teams and get your questions answered. If you are already working on an implementation of a compiler that supports the CLR, please bring it along as we’ll have experts available to help you with specific problems.

Some of the topics that will be covered in this lab are:

·         Building your first .NET compiler

·         What’s new for compilers in Whidbey

·         Supporting Generics

·         Integrating with Visual Studio

There will be an opportunity while you are here to visit the Microsoft Company Store & attend a BBQ with the Common Language Runtime product team.

There is no fee to attend. You are responsible for your travel expenses. Breakfast and lunch are provided.  Please note that attendees of this event will be required to sign a non-disclosure agreement, as the material that is being presented will not be public for some time after you see it.

Once your RSVP is received, you will receive an e-mail containing more logistical information to make your travel arrangements and any updated information.

If you have any questions about the developer lab, please contact Jeff Sandquist.

Looking forward to your attendance,

Jeff Sandquist

Group Manager

Developer Evangelism Team

Microsoft Corporation

--Jim

This new series of Webcasts looks to be very good.

Sign up at http://www.microsoft.com/seminar/events/series/digitalblackbelt.mspx.