Be sure to read Dana's post and read the research paper. Consider Dana's post and warning to make mitigating against this type of threat as part of your own company's threat model process.
I have posted the slide decks and demo code I used for my talks this past weekend at the New England Code Camp 7 - Deer in Headlights conference. You can find the files here.
My talks were:
- How to Perform a Secure Code Review
- Protecting Data with SQL Server 2005
Both talks went really well, I think. Thanks to everyone who attended the talks -- there were very good questions and I was very encouraged that it seemed many caught the "secure development" bug as a result of the talks.
With the SQL Server 2005 talk, I went through some sample scripts that have been very useful to me in storing encrypted data as well as searching encrypted data (based on the great work and information found at Laurentiu Cristofor's blog and Raul Garcia's blog).
Special thanks to Rudolf Araujo's (from Foundstone and fellow Microsoft Security Developer MVP) for use of the Threat Modeling slides in my Secure Code Review talk. One reference I didn't mention at the time, but have since included in my slide deck, is the book The Art of Software Security Assessment by Mark Dowd, John McDonald, and Justin Schuh -- a fantastic book for secure code reviewers that is destined to be a classic.
Also, while I am at it, and you are looking for a secure code reviewier, please consider my company. As you look for reviewers, also be sure to read Mark Curphey's (also another Microsoft Security Developer MVP) excellent post on Top Ten Tips for Hiring Security Code Reviewers before you hire anyone.