Performance Gain – Security Risk

23 בפברואר 2007

Consider the following ASPX page: Here is why it cannot be accessed: When trying to navigate there you get:   Great, love URL authorization!!   Now let's examine another ASPX page: When navigating to this page you surprisingly get this: The reason for that is when using Server.Transfer the request to the second page does not go through the whole ASP.NET pipeline which includes URL Authorization module Security part is here http://msdn2.microsoft.com/en-us/library/ms998375.aspx Performance part is here http://msdn2.microsoft.com/en-us/library/ms998549.aspx  Performance and Security has never been good friends - fortunately...
2 תגובות

Web Service Input Validation

22 בפברואר 2007

I've been blogging on importance of input validatoin some time ago App Architecture with Security in mind - Video, Part I Web Services is not different from ASPX - accept parameters and process it. So the strategy for input validation should be the same as with ASPX - each and every input parameter MUST be checked for goodness (no black list allowed!). The only difference with ASPX is that there is no validation controls for ASMX, so the simplest way would be as follows: from http://msdn2.microsoft.com/en-us/library/ms998375.aspx#pagquestionlist0001_input1 public decimal RetrieveAccountBalance(string accountId) {    if (!Regex.IsMatch(accountId,@"^{1,40}$"))    {       // AccountID does not match expression       // do not process request    }...
תגובה אחת

CardSpace Is Aiming To Solve Many Identity Problems

Very short and nice read - Gates: Now's the time to stop using passwords--really   "One problem people face is knowing whether they’re at a legitimate web site or a malicious site." More here http://antiphishing.org/   "People also face numerous problems in identifying themselves to the sites they use." Check out some problems related to passwords here http://www.guidanceshare.com/wiki/Authentication_Vulnerabilities    "CardSpace is part of the solution to all of these problems." More here One-Page Introduction to Windows CardSpace   CardSpace Home is here http://cardspace.netfx3.com/   Enjoy
תגיות: , ,
אין תגובות

Hooked On Security Tools

19 בפברואר 2007

I realized that for some reason lately I was concentrated on tools: Scriptomania - Scripting Tools and Utilities More Powerful Security Tool Most Powerful Security Tool This blog entry is about another security tool - ShareEnum(free download) I am about to conduct Security Deployment Inspection with some project and this tool might be very handy. Another handy utility could be TCPView (free download) to identify activity for TCP and UDP You must agree that this one is nicer than black and white netstat :)   All the rest of Sysinternals goodies are here: Enjoy.
תגיות: , ,
אין תגובות

Scriptomania – Scripting Tools and Utilities

17 בפברואר 2007

Before you follow the link bellow you need to make sure what hat you wear and then just stick with this hat... From http://www.microsoft.com/technet/scriptcenter/createit.mspx Scriptomatic 2.0  Do-It-Yourself Script Center Kit WMI Code Creator ADSI Scriptomatic  Tweakomatic  Log Parser 2.2 Portable Script Center  HTA Helpomatic  Scriptomatic 1.0
תגיות: ,
2 תגובות

Security, Real Life, and Being Proactive

15 בפברואר 2007

Have you noticed that little slogan in the bottom of p&p logo? "proven practices for predictable results" When I landed in Seattle for Another Breathtaking Microsoft Convention I called my precious wife to tell her I am OK. What I heard in response was cry and she was telling me that she was involved in serious car wreck. I can recall now that first thing I asked was "Were you wearing safety belt?" and when I heard "yes" I could estimate what could happen to her. I could not be sure about her explanations since she could be under shock, but since she applied proven...
תגיות: ,
2 תגובות

More Powerful Security Tool

I was blogging lately about security tools (see Most Powerful Security Tool). For some reason there is perception that security tools are about scanning, intercepting, cracking, and tampering - in other words, something reactive. To me security tool is something that supports Security Engineering as the whole and can be anything from document templates to simple checklists. But my favorite is of course Guidance Explorer (see patterns&practices Guidance Explorer) that constantly gets updates (see He Who Doesn't Ask - Just Doesn't Get). Today it contains about 1000 prescriptive items for security and performance. I've used it for the following scenarios: Create high...
תגיות: , ,
אין תגובות

Overdoing Home Work Only Hurts

14 בפברואר 2007

I've recently presented Security Engineering topic during internal Microsoft convention to international audience (see Back From Seattle - Another Breathtaking Microsoft Convention) and it went really good until I ran into trouble while trying to connect to compromised server using Terminal Services. The hack was about to exploit Dynamic SQL and Over Privileged Account to run nasty xp_cmdshell extended stored procedure (turned off by default in SQL Server 2005 - Run SQL Service with lowest possible privileges)  to create account on target machine and add it to administrations local group The hack (Stored Procedure Is Not A Silver Bullet Against SQL Injection...
תגובה אחת

Most Powerful Security Tool

It's Between Your Ears Why? Because "Security is man-vs-man and humans are intelligent."  - more about this here: What is it that makes security hard? I am strong believer of process integration when it comes to security - more about it here: http://msdn.com/securityengineering And here are some tools to support the process: Threat Analysis and Modeling - http://go.microsoft.com/fwlink?linkid=77002 FxCop - http://www.gotdotnet.com/team/fxcop FindStr - Security Code Inspection - First Look For What To Look For Fiddler - http://www.fiddlertool.com/fiddler NETMON III - http://blogs.technet.com/netmon/default.aspx Cheers
תגיות: ,
אין תגובות