|
|
|
Browse by Tags
-
For those who were in my talk today, I mentioned that the SQL injection and XSS demos are actually labs that you can find on the Internet. Here's links to them. I built these for Patterns & Practices a few years ago. http://channel9.msdn.com/Wiki...
-
Thanks to Julie and David for inviting me to speak this past weekend in Denver. I hope I opened some eyes to the direction the industry is headed with identity and single sign on! You can find my slides here . For those who attended, don't forget...
-
Thanks for those of you who attended my talks last week in London. The ASP.NET Attack and Defence talk covered SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). The first two have downloadable demos and labs as part of...
-
I've been thinking a lot lately about password management. I'm not talking about how a user manages the myriad of passwords she's stuck with, but rather how a system (e.g., a website) should go about accepting, storing, and protecting the...
-
From Coding Horror , originally from CWE/SANS , this is a list that every developer should review from time to time. If you work on software in any capacity, at least skim this list. I encourage you to click through for greater detail on anything you're...
-
I recently published Self-Cert , a tool that makes it really easy to generate self-signed certificates using the CryptoAPI. What's nice about it is that it has a .NET class library underneath it that makes it easy to do this programmatically from...
-
Mike Woodring sent me an email today. He was concerned that a website that he frequents wasn't doing such a good job storing passwords. He pointed out that by clicking a button, you could get your password emailed back to you. After talking with someone...
-
IIS is currently rejecting self-signed certs made with the Self-Cert tool . Actually, you can install the cert into IIS, but when a client connects, IIS will refuse to set up the SSL tunnel. So far I believe the problem is that my certs aren't getting...
-
It's a bit of a pain to create self-signed certs using MAKECERT. So here's a GUI-based tool that uses a combination of the .NET Framework and the CryptoAPI to create self-signed X.509 certificates. And it's factored so that you can use the...
-
Today I spent some time exploring WLID's new SDK that allows you to support WLID authentication in a website of your own. I got it working pretty quickly in a test website, and it works quite nicely. So now I'm a bit curious. There's a section...
-
Over the last couple of years, I've worked on websites that support both HTTP and HTTPS, and it's always tricky to find a balance between security and usability. Dominick wrote an excellent article about this awhile back, suggesting that allowing...
-
For those who didn't attend PDC, the Zermatt identity framework has been re-code-named Geneva Framework so that it fits in with the Geneva family of products : Geneva Framework : a .NET class library called Microsoft.IdentityModel (basically it's...
-
Chris Sells used to poke fun at me when we worked together in my former life . He used to call my security class, "Essential Access Denied". His point was a good one: when they aren't applied carefully, security countermeasures often just...
-
I've been rather dark over the last couple of months as I helped to finish up Pluralsight's online training offering, Pluralsight On-Demand . I'm psyched that we finally shipped! Be sure to check it out soon (you can preview bits of each course...
-
I've always looked at security questions used to automate user password recovery with quite a bit of skepticism . What's the point of requiring strong passwords if you allow anyone to reset the password on an account by answering a (potentially...
|
|
|
|
|