Alik Levin's

Clarity, Technology, and Solving Problems | 

March, 2007

  • Alik Levin's

    VSTS How To's - patterns&practices


    It is not about what it does but how to use it (read this to understand the difference Driver's Guide vs. Owner's Manual )


    VSTS Guidance


    Check these comprehensive step-by-step walk through's with pictures:


    Want to know how to integrate VSTS into your dev lifecycle? - read this Methodologies

    Want to know how to accomplish specific activities like stress test? - read this Techniques

    Want to know how to tweak VSTS - read this Visual Studio 2005


    And most important - enjoy (guaranteed)!

  • Alik Levin's

    Code Inspection - First Look For What To Look For


    Reposted from Security Code Inspection - First Look For What To Look For for further reuse on this blog.

    I found it extremely productive to first look for strings in the code. But what strings to look for? And how to look for the strings? Looking into the source files?

    My good friend FindStr is of great help here:

    So first let's find what to look for:

    Ildasm.exe secureapp.dll /text | findstr ldstr

    This is what I've got using it:

    Wouldn't it trigger you think of authorization data doing roundtrip thus vulnerable to tampering and elevation of privileges?

    Wouldn't it trigger you think there is some custom authentication mechanism that potentially could be vulnerable thus enabling identity spoofing?


    Wouldn't it trigger you think.....


    So once you have these strings you use same FindStr to find actual files to inspect:

    findstr /S /M /I /d:c:\projects\yourweb "StringOfInterestGoesHere" *.cs


  • Alik Levin's

    SecureString Class Two Real Usages And Counting!


    SecureString Class 

    "Represents text that should be kept confidential. The text is encrypted for privacy when being used, and deleted from computer memory when no longer needed. This class cannot be inherited. "

    I first was very excited about SecureString introduced in .Net FX 2.0 but as I tried to learn it more and more I could not find real scenarios where I can apply it.

    So here it comes:

    1. Credential Management with the .NET Framework 2.0 - very detailed and useful article.

    "Summary: Get an introduction to the Credential Management API that includes functions for user interface handling and lesser-known functions for managing a user's credential set. Also see a .NET class library that dramatically simplifies the task of credential management, for languages such as C# and Visual Basic .NET, and provides a more elegant and robust approach to credential management for C++ developers. (26 printed pages)"

    2. X509Certificate2 (String, SecureString)  - got this one while reading Support Certificates In Your Applications With The .NET Framework 2.0

    "You can also load certificates from .pfx files. However, as I mentioned earlier, .pfx files can be password protected [ed. alikl - SHOULD BE, MUST BE?], and you should supply this password as a SecureString. SecureString encrypts the password internally and tries to minimize exposure of it in Memory, page files, and crash dumps"


    More on SecureString is here on .Net Security Blog:

    SecureString Redux

    Making Strings More Secure

    Got more examples? Share please!

Page 5 of 9 (25 items) «34567»