[Owasp-phoenix] Meeting Tonight?
me at alexsmolen.com
Thu May 7 17:04:39 EDT 2009
I stumbled upon this thread that discussed ASP.NET security. I just
wanted to add a couple of things:
First, there are several other good books on .NET security:
ASP.NET 3.5 Security, Membership, and Role Management: This one talks
a lot about ASP.NET security and includes a lot of examples of
customizing membership and handling different real-world security
Improving Web Application Security: Threat and Countermeasures: A
tome. A bit out of date, but still has tons of useful info.
Beginning ASP.NET 3.5 Security (available for pre-order only): I'm a
technical editor on this one, so I've seen most of it and it should be
a good reference for new technologies like Silverlight.
Second, to Andre, I don't think you're giving the GIAC SSP stuff a
fair shake. To be fair, I helped write a few of the questions and have
the Java GIAC SSP certification. I have very little reason to be
biased though - I thought the Java exam was ridiculously bad (which is
why I complained and got asked to help with .NET) and I don't
particularly care if the certification succeeds or fails.
The .NET exam is fairly well-rounded and talks about a lot of real
world ASP.NET security issues, including recent technologies like LINQ
and AntiXSS. Is it perfect? Definitely not. I think that good exams
are a lot harder to write than people realize.
To suggest that anything that doesn't cover Silverlight and AJAX in
depth barely "scratches the surface" of .NET security is preposterous.
The overwhelming majority of development in ASP.NET uses these
technologies very lightly if at all and fundamentally they don't
change the game with server-side code (where plenty of very serious
vulnerabilities still hang out). I feel like the Web 2.0/AJAX/
Silverlight/Cloud Security/Web Services topics and presentations are
more about racking up speaking opportunities for consultants and are
really over-represented in terms of the actual threat that these
To answer the original poster, the .NET GIAC exam should be pretty
straightforward to anyone who has read some of the books mentioned in
this thread and has some real-world ASP.NET development and .NET
me at alexsmolen.com
More information about the Owasp-phoenix