Software Engineering, Project Management, and Effectiveness
Whenever I bring up the OpenHack 4 competition, most aren't ware of it. It was an interesting study because it was effectively an open "hack me with your best shot" competition.
I happened to know the folks on the MS side, like Erik Olson and Girish Chander, that helped secure the application, so it had some of the best available security engineering. In fact, customers commented that it's great that Microsoft can secure its applications ... but what about its customers? That comment was inspiration for our Improving Web Application Security:Threats and Countermeasures guide.
I've summarize OpenHack 4 here, so it's easier for me to reference.
Overview of OpenHack 4In October 2002, eWeek Labs launched its fourth annual OpenHack online security contest. It was designed to test enterprise security by exposing systems to the real-world rigors of the Web. Microsoft and Oracle were given a sample Web application by eWeek and were asked to redevelop the application using their respective technologies. Individuals were then invited to attempt to compromise the security of the resulting sites. Acceptable breaches included of cross-site scripting attacks, dynamic Web page source code disclosure, Web page defacement, posting malicious SQL commands to the databases, and theft of credit card data from the databases used.
Outcome of the CompetitionThe Web site built by Microsoft engineers using the Microsoft .NET Framework, Microsoft Windows 2000 Advanced Server, Internet Information Services 5.0, and Microsoft SQL Server 2000 successfully withstood over 82,500 attempted attacks to emerge from the eWeek OpenHack 4 competition unscathed.
For more information on implementation details of the Microsoft Web application and configuration used for the OpenHack competition, see "Building and Configuring More Secure Web Sites: Security Best Practices for Windows 2000 Advanced Server, Internet Information Services 5.0, SQL Server 2000, and the .NET Framework"
Book building is art and science. I've built a few books over the years at patterns & practices.
Book building is art and science. I've built a few books over the years at patterns & practices
PingBack from http://msdnrss.thecoderblogs.com/2007/12/24/building-books-in-patterns-and-practices/
PingBack from http://shapingsoftware.com/2009/03/09/security-hot-spots/