[Owasp-phoenix] Meeting Tonight?

Andre Gironda andre at operations.net
Tue May 5 22:07:33 EDT 2009


On Tue, May 5, 2009 at 5:12 PM, Binoy Saha <binoysaha at gmail.com> wrote:
> Could anybody recommend good book for GSSP-.net certification exam.

The only material relevant to the GSSP .NET certification is the
official SANS content.

There were a few good books covering .NET security:
1) Developing More-Secure Microsoft ASP.NET 2.0 Applications by
Dominick Baier via Microsoft Press (October, 2006)
  --This is my favorite resource, but it doesn't apply well to ASP.NET
3.x or ASP.NET MVC
2) Hunting Security Bugs, also from Microsoft Press
  --while an older title, it definitely has stayed relevant. Less code
examples in comparison
3) MCAD/MCSD Self-paced Training Kit: Implementing Security For
Applications With Microsoft Visual Basic .NET And Microsoft Visual C#
.NET
  --also out-of-date, but some great examples for unit testing for
security properties

Avoid these, but you may get some useful information (a few tidbits)
out of them:
1) Building Secure ASP.NET Applications Patterns & Practices
2) Security for Microsoft Visual Basic .Net Programmers
3) The .NET Developer's Guide To Windows Security

Unfortunately, I think most of the above are awful resources for
learning what you really need to know when working with ASP.NET
developers for web applications, no matter which version they employ.
The sad part is that there aren't any great resources.
SecurityInnovation provides an ASP.NET training course via CBT.

The best information on ASP.NET Security I've seen lately comes from
Keith Brown of PluralSight
http://www.pluralsight.com/main/olt/Module.aspx?a=keith-brown&n=aspdotnet-security&cn=aspdotnet-fundamentals
The information is in WBT format and completely free, even covering
IIS7 (for another good resource on IIS7, check out the latest
presentation from Brian Holyfield of Gotham Digital Science Security
while at the SOURCE Boston conference.  GDS Security also has an
IHttpModule called SPF that is worth an additional look over the
Microsoft ones: http://gdssecurity.com http://anticsrf.codeplex.com
http://antixss.codeplex.com ).

I'm looking forward to the Core Security Patterns book (originally for
Java Enterprise only) guys to publish more information on their
upcoming book
http://coresecuritypatterns.com
"Core Security Patterns for Microsoft .NET"
I find that analyzing UML class and sequence diagrams is much easier
than DFDs, EAI diagrams, or hundreds of thousands of lines of code (or
millions). OOA&D has a paradigm that the BuildSecurityIn website has
borrowed called Architectural Analysis (BSI calls it Architectural
Risk Analysis).  I found "Applying UML and Patterns: An Introduction
to Object-Oriented Analysis and Design and Iterative Development, 3rd
Edition", by Craig Larman, to be the most useful book for
understanding the basic concepts necessary to read/analyze/create Core
Security Patterns.

If the ASP.NET application utilizes any Silverlight, ASP.NET AJAX,
external JS/Flash/etc, then these problems also need to be understood.
 Microsoft recently released a document on their Download Center
called "Security Guidance for Writing and Deploying Silverlight
Applications".  There is a book on "Ajax Security" from Billy Hoffman
(HP ASC) and Bryan Sullivan (Microsoft SDL) and one on "Hacking
Exposed Web 2.0" (iSecPartners) containing many relevant ASP.NET XML
and Ajax/Flash topics.  Shreeraj Shah of Blueinfy has a great list of
tools (much better than the very outdated Foundstone tools) that he
talks about in his book on "Web 2.0 Security: Defending Ajax, RIA, and
SOA", including implementation of an IHttpModule called web2wall that
interfaces with XML and JSON.  Shah's upcoming book on "Application
Source Code Security Handbook for Developers, Auditors, and Security
Professionals" will likely cover .NET in great detail.

SANS and GIAC barely scratch the surface of .NET security. I don't
think they cover anything that I talked about in this email.  I don't
even think they cover the issues found in the PluralSight free
web-based training.

Have fun,
Andre


More information about the Owasp-phoenix mailing list