Robert Hurlbut's Blog

I will be speaking at the Beantown .NET User Group meeting, Boston, from 5:30 pm to 7:30 pm on Thursday, September 7. Here is the topic and abstract:

Topic: The Why and How of Secure Code Reviews

Abstract:  Writing secure code should be the goal of every development shop. Security can never be an add-on at the end of a project, but must be part of the design and development process throughout the software development lifecycle. As you develop the code, or have finished the development, how well do you know you if you followed the best practices for writingsecure code? This session will cover the common issues and mistakes to look for as you do a secure code review on your own development code. We will cover authentication, authorization, application configuration, cryptography, and many other categories that can be difficult to get right in writing secure code.

Although this will be a new topic for me to speak on, this has long been an interest of mine, and it is something I very much enjoy doing as part of my work.

As always, the meeting is open to everyone so bring your friends and co-workers.  If you want free pizza, contact  the group leader Ben Day by sending an RSVP using the contact form (http://blog.benday.com/contact.aspx) by 1pm on 9/7.  

Update 9/13/2006: Slides for the talk are available.

A little late, but I have posted the slides and code for my talk last week at the Connecticut .NET User Group meeting last week. I went through and updated several resources as they still pointed to a combination of pre-Release and Release material. Now, everything is current.

It was great to see there were 40-50 people in attendance, quite a few more since I last spoke there a couple of years ago when the group was very new. SB and Carl are doing a great job!

Occasionally, I am called upon to do a security code review. I enjoy the process and I recommend it to every shop that writes software to regularly review their code not only for normal bugs, but especially for security bugs. The drawback, though, is not everyone knows what to do or what to look for in a review. One of my personal and business goals is to help clients understand this process.

Michael Howard wrote an interesting article on "A Process for Performing Security Code Reviews" that appeared in this month's IEEE Security and Privacy magazine [found by way of Dana Epp]. I enjoyed reading about some of the steps and decisions Microsoft follows in reviewing its own code. Take a look and then think about how you can make this part of your own software development lifecycle.

I am working in Western Massachusetts these days and I had a chance to check out the local Western Mass .NET Users Group meeting last night. Julie Lerman gave a great talk on the new asynchronous features of ASP.NET 2.0. Here is her write up. It's been awhile since I looked at some of these features in ASP.NET, so it was a nice refresher, plus it is always a treat to watch Julie present (we typically have sessions that are the same time at the Code Camps, so we are mostly catching up in the hallways!).

I don't have any dates confirmed yet, but I will probably be presenting to the user group later this year as well. Recently, I have been kicking around some ideas for a new architecture talk involving Domain Driven Design, especially after I read and have been applying the ideas in Jimmy Nilsson's book Applying Domain-Driven Design and Patterns: With Examples in C# and .NET (this is excellent, by the way). Stay tuned.