Dan Sellers's WebLog

A Passion for .NET Security

Browse by Tags

Tagged Content List
  • Blog Post: Security Myth: Only Large Development Teams can Write Secure Code

    I would recommend that you share this post on the http://blogs.msdn.com/S4CD with anyone that automatically cite resources as an excuse for not writing secure code. This is an extremely well documented example of how a small team can developer secure code and also makes a good point how the smaller business...
  • Blog Post: IIS 6.0 and ASP.NET 2.0 Credentials--Part Two

    The ASP.NET User Principal (HTTPContext.User) clearly depends upon the Authentication Mechanism that you selected in IIS 6.0 "Authenication Tab" and if you use Integrated Windows Authentication then it is dependant on the IIS impersonation token that get handed off in the extension control block via...
  • Blog Post: IIS 6.0 and ASP.NET 2.0 Credentials

    The one area that many developers do not have good grasp at is how Authentication tokens from IIS 6.0 is passed to ASP.NET 2.0 and how these tokens can subsequently be used for Authorization in an ASP.NET 2.0 Web Application. The one question that arises quite often is when I click on “Integrated...
  • Blog Post: SQL Server 2005 Security for Developers Webcast for on-demand viewing is available

    The on-demand Webcast of SQL Server 2005 for Developers, conducted on March 22, 2006, by Rob Walters--Program Manager, SQL Server Security-- and I, is now available for on-demand viewing . Post Notes from this Webcast can be found at my blog . Look forward to seeing everyone for next week webcast...
  • Blog Post: Regenerating Keys in SQL Server 2005

    In my latest Webcast on SQL Server 2005 Security one of the questions that came up was: “If some fields of your table are encrypted and you are suspicious that the key has been revealed can you re-encrypt all the fields with the regenerated key”? Currently, there is no easy way to manage...
  • Blog Post: Post Webcast’s Notes: Securing SQL Server 2005 for Developers

    This morning was a jammed filled session covering off a lot of changes made to Microsoft SQL Server 2005. Over the last few weeks we talk exclusively about Front End security issues such as Input trust and the creation of a Development and Design environment to better emulate your production environment...
  • Blog Post: IOSEC and Anti-Cross Site Scripting Tool

    Recently, Microsoft released the latest update to Anti-Cross Site Scripting tool which is part of a bigger plan known as the Microsoft IOSEC—an internal library. The IOSEC library currently implements encoding protection against XSS attacks conducted through vectors such as HTML, URLs, JavaScript...
  • Blog Post: Code Scanning Tools' WebCast for on-demand viewing is available

    The on-demand version of the Visual Studio 2005 and Code Scanning Tools, conducted on March 15, 2006,by Kevin Lam and I, is now available for on-demand viewing . Look forward to seeing everyone for next week webcast .
  • Blog Post: Webcast's Post Notes: Visual Studio 2005 and Code Scanning Tools

    In today’s webcast we had the opportunity to explore the buffer overrun attack in depth which is considered one of the worst vulnerabilities that exist. Any code that is written in C or C++ --without proper security code reviews--on any platform is susceptible to buffer overrun. It is becoming easier...
  • Blog Post: Ops!!! SecurePasswordTextBox Update now Available

    After last week WebCast --in which I talked about the new System.Security.SecureString class as well as the cool SecurePasswordTextBox that Paul Glavs wrote--he experienced an sudden increase in downloads. You can read about it here ! Recently, Paul has updated his tool and can now be downloaded ...
  • Blog Post: ASP.NET 2.0 and the new HTTP-only property

    To minimize the threat of Cross Site scripting attacks ASP.NET 1.1 introduced the ValidateRequest="true" on the @ Pages element. Recently, Microsoft improved the HttpUtility.HtmlEncode with the new Anti-XSS tool . But another subtle and equally important addition in ASP.NET 2.0 is the HTTP-only option...
  • Blog Post: Least Privilege Development in Microsoft Windows Vista

    In my last Webcast on Least Privilege I eluded to the fact that this was going to change with the release of Windows Vista. In fact it is going to change significantly. Here is a white paper that provides an understanding of User Account Protection (UAP) in Windows Vista. The paper was written a few...
  • Blog Post: Thoughts on Security Analogies

    I thought I would share Michael Howard's recent blog on " Security Analogies are Wrong ". I agree with Michael take on Security Analogies as I hear them all the time but I thought his post was hilarous as he turns the tables with his counter analogy: If cars operated in an environment like the Internet...
  • Blog Post: Microsoft Threat Analysis & Modeling tool v 2.0 (Beta 2)

    Today Microsoft released Beta 2 of the second version of the Threat Modeling and Analysis Tool for download . Microsoft has been using the Threat Modeling methodology as part of our Security Development Lifecycle for a few years now. Threat Modeling is a security-based analysis of an application...
  • Blog Post: Answer to the Trivial Question

    The answer to the trivial question from my blog based upon the March 8, 2006 WebCasts “Least Privilege Development and New System.Security Features” is below: Question: The KeyInfo element can consist of either a <KeyName/> or a <RetrievalMethod/> child element. What is the purpose...
  • Blog Post: Developing as Non Admin with Admin Access on a Server

    Here is another cool trick for running under Non Admin that was shared to me be by Aaron and works like a charm. The scenario is if you require Administrative privileges on an IIS Server but you still want to develop and design as non-admin on your local machine then you can do the following: · Create...
  • Blog Post: WebCast's Notes: Least Privilege and New System.Security Features

    In today’s Webcast we first started off with a continuation from last week . Last week we explored how to setup a development and design environment that closely emulates your production environment to make your testing more effective and efficient. This was accomplished by enabling Debug in Zone and...
  • Blog Post: Microsoft Updated Anti-XSS Tool

    In a recent post I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool. However, at the time the library only worked with ASP.NET 2.0 applications. Today, the Library has been updated and now works with .NET Framework 1.0, 1.1 and 2.0. You can download the updated Library at: http...
  • Blog Post: Input Validation in ASP.NET? Bug or Not?

    Recently I was pinged by a colleague in the security field and he asked me a question on why the Regular Expression Validator was not validating against Null values in a ASP.NET control. I was able to reproduce the same behaviour on both Visual Studio 2003 and Visual Studio 2005 and it appears that Regular...
  • Blog Post: Partial Trust Development WebCast's Recording is now available for on-demand viewing

    Last Wednesday--March 1, 2006--I delivered part one of my five part WebCasts ' series on the new tools and Security features in Visual Studio 2005 or .NET Framework 2.0. The recording of Part one--Partial Trust Development--is now available for viewing .
  • Blog Post: Least User Priviledge WhitePaper Released

    This Wednesday--March 8, 2006--I will be doing part two of my part 5 Webcasts on some of the tools and security features incorporated into either Visual Studio 2005 or the .NET Framework 2.0. As a prequel to this week webcast --Least Priviledge and new Security Features in .NET Framework--here is an...
  • Blog Post: Microsoft Security Initiatives--Objective Point of View

    I have come to know and respect Dana Epp for over 3 years now. The one thing I can say about Dana is he will always say it like he sees it , which is one reason I always value his feedback and opinion. When it comes to Security I can count on him to say where Microsoft needs to get a lot better and where...
  • Blog Post: WebCast NOTES: Partial Trust Development with Visual Studio 2005

    On Wednesday March 1, 2006 I conducted part one of a five part series titled “Security on the Brain”. The goal of this series of WebCasts is to examine some of the tools and security features that have been incorporated into either the .NET Framework 2.0 or Visual Studio 2005. In this latest WebCast...
  • Blog Post: ASP.NET 2.0 Security Training Modules and Videos!!!

    The ASP.NET 2.0 and security team has released excellent training modules on APS.NET 2.0 security, including labs, modules and videos. This covers such topics as XSS, SQL Injection and much more at: http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.SecurityTrainingModules There will be more coming...
  • Blog Post: The Code Room: BREAKING INTO VEGAS!

    The Code Room is online ½ hour TV show focusing on developers and the programming challenges that they face. The latest show, in a very, very cool way, will demonstrate the impact of a hacked environment (a casino in the show) that has been penetrated and compromised by a group of hackers. More...
Page 1 of 2 (40 items) 12