Tuesday, June 08, 2004

Security Summit

Today was spent in deep learning on security. I had the pleasure of attending the Microsoft Security Summit in Anaheim today. It was a very good event with content that hit the mark. Most of the information was things I have already learned but it was a very good refresher. Buffer Overruns, Cross-Site Scripting, SQL injection Oh, My.

Everything I had as far as emails and printed materials about the event said it was to start at 8 o'clock sharp. Now I really don't like to be late, but due to traffic, I didn't even get to the parking lot till 8am. So I speedwalk into the building and get registered, get my agenda, and the keynote didn't start till 8:30am. I reallized that Msft really understand IT.

The keynote by Mark Valentine, address the continuing security focus that Microsoft has made and plans to keep. This was shown in several of the demos shown. The SP2 for Windows XP really demonstrates that. They have really developed a user interface that makes Windows Updates, Anti-Virus and Internet Firewall (soon to be called Windows Firewall) easy for home users to use. It is always going to make firewall rules for the corporate end a lot better to, as admins will be able to create domain and standard firewall rules. That will make it so people on your network that have laptops that they take home every night (like myself), won't be bring in malware and viruses back into the network.  Micorsoft also showed off the SD3 Framework, which means, Secure by Design, Secure by Default, Secure in Deployment. The other thing that was mentioned is that after the trustworthy computer email from Bill Gates came out, they stopped all forward progress on Windows 2003 Server and started the SD3 model. Apparently all Developers at Microsoft have to read "Writing Secure Code" before they are allowed to touch on stitch of code.

I took the Developer track of the Security Summit. This was a day well spent. Michele Leroux Bustamante taught all four sessions. She is a Microsoft Regional Directory for the San Diego area. She did an amazing job of keeping the material entertaining. I told 14 pages worth of notes from the sessions. After I get a chance to decipher my own writing (not always easy) I will share some of the nuggets I gleamed from the event.

Highlights

  • Code Access Security Explained
  • Storing SQL ConnectionStrings encrypted ( and still be able to use them in your application)
  • Strong Names for Assemblies.
  • Sand Boxing Components
  • Security settings in ASP.NET
  • Using the SQLAdapter and SQL parameters to fight SQL injection attacks.

If you get a chance to get to this event, do, the more you know about security the better you can sleep.

No comments: