Tracking the tracks at Tech Ed New Zealand


Security: Treat your input like trash.

, posted: 28-Sep-2009 21:00

By: Ben Gracewood

As a developer, I was intensely interested in a couple of the security sessions at TechEd. The first was Michael Howard's "Everything Developers Need to Know About Security". Michael is a software security expert from Microsoft. He is author of several computer security books, the most famous being "Writing Secure Code" - somewhat of a bible for developers interested in security.

Michael had several tips for developers thinking about security. He took a fun but cruel approach to the session by first asking for ideas to overcome each security scenario, then systematically tearing the responses down.

The key point I took from the session is that developers must treat all external input as utter garbage. Whether it be user input on a web form, or data coming from another system, if you can't control the input, then you must validate, escape, and clean the input before taking it any further.

The second session was part theatre, part information, and by far the most packed-out session I attended throughout TechEd NZ 2009. People sitting in the aisles, all around the walls, and 5-deep outside the doors. Hack-Ed: Teaching the Good Guys Bad Tricks was a double-act by Kirk Jackson (Xero) and Andy Prow (Aura Software Security) - otherwise known as "Flight of the Pwnchords". Kirk looked after a fake-but-real website, and Andy played the part of a hacker attempting to break in.

The Hack-Ed session was a real eye-opener. We all know about SQL injection, man-in-the-middle, and similar hacking exploits, but I doubt many people have seen them in action. Andy showed just how simple it is to bypass client-side validation, and how whitelists are pointless for SQL injection defense.

The key point from Kirk and Andy's session is that just one hole is all it takes. If a hacker can get just a small corner unpeeled from a small hole, then they can rip the lid off your entire site, and likely the underlying database. It's actually a little bit scary to see the hacks in action.

Overall, the two sessions have confirmed everything a developer should be thinking about when developing both public and private applications. For both developers and team leads, they offered up some scary reminders of why security needs to be top of mind. You can grab the presentation slides now from the TechEd website.

More information

Other related posts:
Registrations open for Microsoft Tech.Ed New Zealand 2010
Connect with your local .Net user groups
Microsoft Tech.Ed Online: Office and UC








Comment by tonyhughes, on 30-Sep-2009 09:28

Ohhhh... you are a developer. That explains a lot.


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.

Your name:

Your e-mail:

Your webpage:



Microsoft Tech Ed New Zealand is a technology event run by Microsoft New Zealand. The Microsoft Tech Ed New Zealand 2010 is happening in Auckland (New Zealand), 30th August - 1st September 2010, at the SkyCity Convention Centre. If you are attending the Microsoft Tech Ed New Zealand 2010 and would like to contribute with stories, profiles, and feedback please contact us. This blog is written by Mauricio Freitas and published by Geekzone.



Most recents posts

MS Communities Summit 2010...
Registrations open for Microso...
Connect with your local .Net u...
Microsoft Tech.Ed Online: Offi...
Microsoft SQL Server MVP Brad ...
Unleash your development poten...
One for the IT Professionals: ...
Microsoft Tech.Ed New Zealand ...
Microsoft technologies and the...
Ben Gracewood talks about secu...


Recent comments

teched on Registrations open for Microsoft Tech.Ed New Zeala: Thanks folks!...

MikeSkyrme on Booth Babes at Tech.Ed New Zealand 2009: No harm done, the girls were there to do a job, which in this case was 'promote ...

Lisa on Booth Babes at Tech.Ed New Zealand 2009: I too was expecting to see some actually hot chicks when my bf linked this to me...

adam mork on Microsoft Tech.Ed Online: Office and UC: Hi Chris, great speech at SPC2009 on open xml. Any idea when the new 2010 docume...

d3Xt3r on Loke Uei Tan talks to us about Windows Mobile 6.5 : But the "improved UI" sucks. Well, the today screen anyways. Titanium just doesn...

tonyhughes on Security: Treat your input like trash.: Ohhhh... you are a developer. That explains a lot....

mattyboy2 on The technology behind Microsoft Tech.Ed New Zealan: Any idea when the videos of the sesions are gonna be uploaded to the official Te...

Flemming Riis on Distributing and monetising Windows Mobile applica: -- If an application is approved but later removed from the marketplace it will ...

Kyanar on Distributing and monetising Windows Mobile applica: You forgot to mention that refunds which are for any reason other than Microsoft...

chchgirlgeek on Booth Babes at Tech.Ed New Zealand 2009: Well Im a 'gurl' who works for Gen-i and I was quite unimpressed at the presence...