[Owasp-phoenix] Meeting Tonight?

Alex Smolen me at alexsmolen.com
Thu May 7 17:04:39 EDT 2009

I stumbled upon this thread that discussed ASP.NET security. I just  
wanted to add a couple of things:

First, there are several other good books on .NET security:
ASP.NET 3.5 Security, Membership, and Role Management: This one talks  
a lot about ASP.NET security and includes a lot of examples of  
customizing membership and handling different real-world security  

Improving Web Application Security: Threat and Countermeasures:  A  
tome. A bit out of date, but still has tons of useful info.

Beginning ASP.NET 3.5 Security (available for pre-order only): I'm a  
technical editor on this one, so I've seen most of it and it should be  
a good reference for new technologies like Silverlight.

Second, to Andre, I don't think you're giving the GIAC SSP stuff a  
fair shake. To be fair, I helped write a few of the questions and have  
the Java GIAC SSP certification. I have very little reason to be  
biased though - I thought the Java exam was ridiculously bad (which is  
why I complained and got asked to help with .NET) and I don't  
particularly care if the certification succeeds or fails.

The .NET exam is fairly well-rounded and talks about a lot of real  
world ASP.NET security issues, including recent technologies like LINQ  
and AntiXSS. Is it perfect? Definitely not. I think that good exams  
are a lot harder to write than people realize.

To suggest that anything that doesn't cover Silverlight and AJAX in  
depth barely "scratches the surface" of .NET security is preposterous.  
The overwhelming majority of development in ASP.NET uses these  
technologies very lightly if at all and fundamentally they don't  
change the game with server-side code (where plenty of very serious  
vulnerabilities still hang out). I feel like the Web 2.0/AJAX/ 
Silverlight/Cloud Security/Web Services topics and presentations are  
more about racking up speaking opportunities for consultants and are  
really over-represented in terms of the actual threat that these  
technologies pose.

To answer the original poster, the .NET GIAC exam should be pretty  
straightforward to anyone who has read some of the books mentioned in  
this thread and has some real-world ASP.NET development and .NET  
security experience.

Alex Smolen
me at alexsmolen.com

More information about the Owasp-phoenix mailing list