Visual Studio 2005 & The Mad Hacker - Q&A

Tuesday, December 13, 2005

Security Visual Studio 2005

Visual Studio 2005 was launched yesterday in Israel!

During the ‘Visual Studio 2005 & The Mad Hacker’ show me & dan demonstrated the ability to build Mission Critical applications using Visual Studio 2005 Security Enhancements. The show demonstrated several vulnerabilities and the way to mitigate them using Visual Studio 2005.

Following the show there were several question raised…

So here is our Q&A:

Q: I missed the show… what areas were covers through the show and where can i learn more about them ?
A: We covered the following area during the show:
     – Sql Injection & Using Code Analysis to mitigate it
     – Asp.Net 2.0 Login Controls, Membership & Roles Services
     – Diagnostics using WebEvents
     – Sniffing & Secured Remoting
     – C++ Code Analysis & Buffer Overrun Example
     – Data Protection Class
     – Access Control Class

Q: Where can i find the presentation and the demos you showed ?
A: Here is the list of demos:
    The VS 2005 & The Mad Hacker Presentation & Videos
    The CTU Web & Backed Solution
    The CTU Web & Backed Solution + Login, Membership & Roles
        Including The WebEvents demo for sending sms using SMS2U
    The Buffer Overrun & PreFast Example
    The Data Protection Example
    The Access Control Example
    The CTU Database
    Install Script (This script creates iis virtual directory of the CTU Web)

Q: Can I get the Mad Hacked Sql Injector Tool ?
A: Sorry but no, this tool was not complicated to build but it can be used to hack systems down and although I’m sure you only want this tool to test your own site it can be used by others in unacceptable ways.

Q: I was expecting more drill down explanation of the new security features and was a little disappointed
A: We decided to focus our lecture on several topics that will fit such a large audience instead for example to drill into the new futures of code access security, using the web log I’ll publish several articles and links to try and cover the full list of changes

Q: What is the name of the book that you showed ?
A: The name of the book is wirting secured code, Second Edition.

Q: Where can I find more information regarding VS 2005 Security Improvements?
A:
The Security Wiki and What’s new security features are in ASP.NET 2.0

MSDN Article : New Security Features in Visual Studio 2005

SQL Injections
To learn more about Sql Injection check: Advanced Sql Injection and More Advanced Sql Injection articles fron NGSSoftware there is also an article from MSDN Magazin titled Stop Sql Injection Attacks Before They Stop You

Membership & Roles Services
There are two new articles on MSDN:
Member/Role Management with IIS, Part 1: Security and Configuration Overview
Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 2: Implementation

Data Protection
Encrypt Connection Strings in VS 2005 .config Files
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

Security Blogs
.Net Security - Shawn F. Blogs

Microsoft Security MVP’s Blogs
Anil John

Dominick Baier

Don Kiely

Keith Brown

Kenny Kerr

Nicole Calinoiu

Robert Hurlbut

Rudolph Araujo

Valery Pryamikov

No Comments