Software Engineering, Project Management, and Effectiveness
We did a focused set of security videos with Keith Brown a while back. The problem is they're not very findable (most customers I talk to aren't aware of them). I added them to soapbox and listed them below to see if it helps (note soapbox may prompt you to log in):
Input and Data Validation Videos
They're designed to help you get key concepts behind some of our security guidance. I also wanted to use somebody that was recognized in the field as somebody you could trust. Keith's proven himself for a long time in the security community. He also has the aura of an experienced trainer, which I think comes across in these videos.
PingBack from http://thanadon.com/news/patterns-practices-security-videos.html
It doesn't help. Despite the fact that I have been watching MSDN webcasts for ages using my passport ID, I am not allowed into the site. Strangely if I try to get added to the registration database I am told that the email address is already in use.
I think sharing these kind of videos via Soapbox is silly to say the least. Why don't you host these on say Channel 9 or some place on MSDN. I am not complaining about logging in but wouldn't be nice to find these at one known place rather than screwn all over the net. And least of all I would not want to go to Soapbox from my work place.
Kris - They've been hosted on channel9 for over a year: http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.InputValidationTrainingModules
I would like to see them on MSDN.
Mike - I'm not sure what the soapbox issue is, but here's an alternative:
* Paths, URL s, and Canonicalization: http://mylabs.members.winisp.net/videos/canonicalization.wmv
* Cookies and Tamper Detection: http://mylabs.members.winisp.net/videos/cookies.wmv
* Cross Site Scripting: http://mylabs.members.winisp.net/videos/crosssitescripting.wmv
* Regular Expressions: http://mylabs.members.winisp.net/videos/regex.wmv
* SQL Injection: http://mylabs.members.winisp.net/videos/sql_injection2.wmv
* ASP.NET Validation Controls: http://mylabs.members.winisp.net/videos/validation.wmv
Just to drop a small note.
I never see any reference to using Page.IsValid on server postback handlers. It's mandatory for server validation! So, you don't have any kind of security without page.isvalid! In fact I have my doubts that that particular web cast is goind to the server for validation as mentioned by Keith.
I've said it before and I will say it again... it's confusing for developers to have to check this and it should be done by the framework, or there should by a warning of some kind.
"...(just make sure to always enforce server-side validation by calling Page.IsValid)..."
"Click Here" http://blogs.msdn.com/jmeier/archive/2007/03/24/patterns-practices-security-videos.aspx
This is gonsalez music site - <a href="http://www.gonsalez.info/314150.html">best music site in da world</a>.