Security: Treat your input like trash.
Tech Ed, posted: 28-Sep-2009 21:00
By: Ben Gracewood
As a developer, I was intensely interested in a couple of the security sessions at TechEd. The first was Michael Howard's "Everything Developers Need to Know About Security". Michael is a software security expert from Microsoft. He is author of several computer security books, the most famous being "Writing Secure Code" - somewhat of a bible for developers interested in security.
Michael had several tips for developers thinking about security. He took a fun but cruel approach to the session by first asking for ideas to overcome each security scenario, then systematically tearing the responses down.
The key point I took from the session is that developers must treat all external input as utter garbage. Whether it be user input on a web form, or data coming from another system, if you can't control the input, then you must validate, escape, and clean the input before taking it any further.
The second session was part theatre, part information, and by far the most packed-out session I attended throughout TechEd NZ 2009. People sitting in the aisles, all around the walls, and 5-deep outside the doors. Hack-Ed: Teaching the Good Guys Bad Tricks was a double-act by Kirk Jackson (Xero) and Andy Prow (Aura Software Security) - otherwise known as "Flight of the Pwnchords". Kirk looked after a fake-but-real website, and Andy played the part of a hacker attempting to break in.
The Hack-Ed session was a real eye-opener. We all know about SQL injection, man-in-the-middle, and similar hacking exploits, but I doubt many people have seen them in action. Andy showed just how simple it is to bypass client-side validation, and how whitelists are pointless for SQL injection defense.
The key point from Kirk and Andy's session is that just one hole is all it takes. If a hacker can get just a small corner unpeeled from a small hole, then they can rip the lid off your entire site, and likely the underlying database. It's actually a little bit scary to see the hacks in action.
Overall, the two sessions have confirmed everything a developer should be thinking about when developing both public and private applications. For both developers and team leads, they offered up some scary reminders of why security needs to be top of mind. You can grab the presentation slides now from the TechEd website.
More information
Other related posts:
Registrations open for Microsoft Tech.Ed New Zealand 2010
Connect with your local .Net user groups
Microsoft Tech.Ed Online: Office and UC
As a developer, I was intensely interested in a couple of the security sessions at TechEd. The first was Michael Howard's "Everything Developers Need to Know About Security". Michael is a software security expert from Microsoft. He is author of several computer security books, the most famous being "Writing Secure Code" - somewhat of a bible for developers interested in security.
Michael had several tips for developers thinking about security. He took a fun but cruel approach to the session by first asking for ideas to overcome each security scenario, then systematically tearing the responses down.
The key point I took from the session is that developers must treat all external input as utter garbage. Whether it be user input on a web form, or data coming from another system, if you can't control the input, then you must validate, escape, and clean the input before taking it any further.
The second session was part theatre, part information, and by far the most packed-out session I attended throughout TechEd NZ 2009. People sitting in the aisles, all around the walls, and 5-deep outside the doors. Hack-Ed: Teaching the Good Guys Bad Tricks was a double-act by Kirk Jackson (Xero) and Andy Prow (Aura Software Security) - otherwise known as "Flight of the Pwnchords". Kirk looked after a fake-but-real website, and Andy played the part of a hacker attempting to break in.
The Hack-Ed session was a real eye-opener. We all know about SQL injection, man-in-the-middle, and similar hacking exploits, but I doubt many people have seen them in action. Andy showed just how simple it is to bypass client-side validation, and how whitelists are pointless for SQL injection defense.
The key point from Kirk and Andy's session is that just one hole is all it takes. If a hacker can get just a small corner unpeeled from a small hole, then they can rip the lid off your entire site, and likely the underlying database. It's actually a little bit scary to see the hacks in action.
Overall, the two sessions have confirmed everything a developer should be thinking about when developing both public and private applications. For both developers and team leads, they offered up some scary reminders of why security needs to be top of mind. You can grab the presentation slides now from the TechEd website.
More information
Other related posts:
Registrations open for Microsoft Tech.Ed New Zealand 2010
Connect with your local .Net user groups
Microsoft Tech.Ed Online: Office and UC
Add a comment
Please note: comments that are inappropriate or promotional in nature will be deleted.
E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.
Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments.
If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.
Comment by tonyhughes, on 30-Sep-2009 09:28 , user id: 9006)
Ohhhh... you are a developer. That explains a lot.
