Robert Hurlbut's Blog

Thoughts on .NET, Security, Architecture, Agility, and Databases.

This Blog

Syndication

RSS
Atom

Search

Navigation

.NET User Groups in New England

Blogs - .NET

Blogs - Agile

Sam Gentile

Blogs - Architecture

Blogs - CLR

Blogs - Security

Blogs - SQL Server

Blogs - System.Transactions

Enterprise Services (COM+) Resources

A Roadmap to EnterpriseServices

Indigo Resources

WinFx Beta 1 RC SDK

Microsoft Security Resources

Presentation resources

Recommended Books

Rotor Resources

Security Resources

April 2007 - Posts

Wednesday, April 04, 2007 11:32 AM

Watch for Javascript Hijacking in your AJAX applications

Over the weekend at the New England Code Camp 7 conference, I mentioned briefly about some of the potential security problems with AJAX. Dana Epp has a post about the new class of attack vectors using Javascript Hijacking against AJAX, and ultimately, ATLAS, applications. He points to a research paper by Fortify Software that details the vulnerabilities, how the attacks could be performed, and ways to mitigate against them.

Be sure to read Dana's post and read the research paper. Consider Dana's post and warning to make mitigating against this type of threat as part of your own company's threat model process.

Posted by RHurlbut | 1 comment(s)

Filed under: ASP.NET, .NET, Security, Architecture/Patterns

Tuesday, April 03, 2007 3:29 PM

New England Code Camp 7 -- Slides and Code

I have posted the slide decks and demo code I used for my talks this past weekend at the New England Code Camp 7 - Deer in Headlights conference. You can find the files here.

My talks were:

How to Perform a Secure Code Review
Protecting Data with SQL Server 2005

Both talks went really well, I think. Thanks to everyone who attended the talks -- there were very good questions and I was very encouraged that it seemed many caught the "secure development" bug as a result of the talks.

With the SQL Server 2005 talk, I went through some sample scripts that have been very useful to me in storing encrypted data as well as searching encrypted data (based on the great work and information found at Laurentiu Cristofor's blog and Raul Garcia's blog).

Special thanks to Rudolf Araujo's (from Foundstone and fellow Microsoft Security Developer MVP) for use of the Threat Modeling slides in my Secure Code Review talk. One reference I didn't mention at the time, but have since included in my slide deck, is the book The Art of Software Security Assessment by Mark Dowd, John McDonald, and Justin Schuh -- a fantastic book for secure code reviewers that is destined to be a classic.

Also, while I am at it, and you are looking for a secure code reviewier, please consider my company. As you look for reviewers, also be sure to read Mark Curphey's (also another Microsoft Security Developer MVP) excellent post on Top Ten Tips for Hiring Security Code Reviewers before you hire anyone.