patterns & practices Security Videos

JD Meier

23 Mar 2007 7:31 PM

Comments 8

We did a focused set of security videos with Keith Brown a while back. The problem is they're not very findable (most customers I talk to aren't aware of them). I added them to soapbox and listed them below to see if it helps (note soapbox may prompt you to log in):

Input and Data Validation Videos

Paths, URLs, and Canonicalization - shows you how to avoid input and data validation security issues related to path validation.
Cookies and Tamper Detection - shows you how to protect from cookie tampering issues.
Cross Site Scripting - shows you how to protect from cross-site scripting issues.
Regular Expressions - shows you how to use regular expressions to validate input and data.
SQL Injection - shows you how to protect from SQL injection.
ASP.NET Validation Controls - shows you how to use validation controls for input validation.

They're designed to help you get key concepts behind some of our security guidance. I also wanted to use somebody that was recognized in the field as somebody you could trust. Keith's proven himself for a long time in the security community. He also has the aura of an experienced trainer, which I think comes across in these videos.

Security, patterns and practices, My Projects, Videos

Comments

Internet Security and Programming » Blog Archive » patterns & practices Security Videos

24 Mar 2007 1:16 PM

PingBack from http://thanadon.com/news/patterns-practices-security-videos.html
Mike Lucas

24 Mar 2007 3:57 PM

It doesn't help. Despite the fact that I have been watching MSDN webcasts for ages using my passport ID, I am not allowed into the site. Strangely if I try to get added to the registration database I am told that the email address is already in use.
Kris

24 Mar 2007 5:56 PM

I think sharing these kind of videos via Soapbox is silly to say the least. Why don't you host these on say Channel 9 or some place on MSDN. I am not complaining about logging in but wouldn't be nice to find these at one known place rather than screwn all over the net. And least of all I would not want to go to Soapbox from my work place.
JD Meier

24 Mar 2007 8:20 PM

Kris - They've been hosted on channel9 for over a year: http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.InputValidationTrainingModules

I would like to see them on MSDN.
JD Meier

24 Mar 2007 8:21 PM

Mike - I'm not sure what the soapbox issue is, but here's an alternative:

* Paths, URL s, and Canonicalization: http://mylabs.members.winisp.net/videos/canonicalization.wmv

* Cookies and Tamper Detection: http://mylabs.members.winisp.net/videos/cookies.wmv

* Cross Site Scripting: http://mylabs.members.winisp.net/videos/crosssitescripting.wmv

* Regular Expressions: http://mylabs.members.winisp.net/videos/regex.wmv

* SQL Injection: http://mylabs.members.winisp.net/videos/sql_injection2.wmv

* ASP.NET Validation Controls: http://mylabs.members.winisp.net/videos/validation.wmv
Rui Quintino

25 Mar 2007 5:15 PM

Just to drop a small note.

I never see any reference to using Page.IsValid on server postback handlers. It's mandatory for server validation! So, you don't have any kind of security without page.isvalid! In fact I have my doubts that that particular web cast is goind to the server for validation as mentioned by Keith.

I've said it before and I will say it again... it's confusing for developers to have to check this and it should be done by the framework, or there should by a warning of some kind.

From http://msdn.microsoft.com/msdnmag/issues/05/11/securewebapps/

"...(just make sure to always enforce server-side validation by calling Page.IsValid)..."
Eric Jarvi

26 Mar 2007 10:55 AM

"Click Here" http://blogs.msdn.com/jmeier/archive/2007/03/24/patterns-practices-security-videos.aspx
David

29 May 2007 2:08 AM

This is gonsalez music site - <a href="http://www.gonsalez.info/314150.html">best music site in da world</a>.