It took more than a year, but a piece I wrote reviewing "best practices" security principles as applied to the well-known .NET "reference" applications (PetShop, F&M, Duwamish) finally made it onto MSDN last week. As you might imagine, the security aspects of these applications don't stand up well when a strong light is shown on them. And yet...what else is there? How are developers, designers, and architects supposed to deal with security when all they have to look at is simple marketing-oriented demos or 2,000 pages of detailed guidance, with nothing in between?
There are probably a number of ways to locate this article (and MSDN's infrastructure discourages permanent links), but here's one from the Architecture Center portal that might be good for a while:
I'm particularly tickled by the ratings / comments. The overall is currently 6.4998 (about average), but you just have to laugh at the distribution (see the graph at the bottom on the article). And what are the comments that accompany the 1 ratings?
"this page sucked"
"This article is full of shit..."
But here's the most recent comment (clearly, from an intelligent and perceptive reader <grin>):
"Told it like it is! The author has created has genuinely useful document that should be required reading for anyone writing secure apps."