[Owasp-phoenix] Meeting Tonight?

Andre Gironda andre at operations.net
Thu May 7 17:47:30 EDT 2009

On Thu, May 7, 2009 at 2:04 PM, Alex Smolen <me at alexsmolen.com> wrote:
> Improving Web Application Security: Threat and Countermeasures:  A
> tome. A bit out of date, but still has tons of useful info.

This is a good one, I admit. You can even download it for free from
Microsoft these days.

> First, there are several other good books on .NET security:
> ASP.NET 3.5 Security, Membership, and Role Management: This one talks
> a lot about ASP.NET security and includes a lot of examples of
> customizing membership and handling different real-world security
> scenarios.
> Beginning ASP.NET 3.5 Security (available for pre-order only)

I'm having a tough time finding these. Are they Wrox press titles?

> Second, to Andre, I don't think you're giving the GIAC SSP stuff a
> fair shake. To be fair, I helped write a few of the questions and have
> the Java GIAC SSP certification. I have very little reason to be
> biased though - I thought the Java exam was ridiculously bad (which is
> why I complained and got asked to help with .NET) and I don't
> particularly care if the certification succeeds or fails.

You're working on something, but you don't care if it fails? Sounds
like you're really seriously dedicated to quality. Or perhaps the
monetary or brand-recognition factors weigh heavily enough to consider
wasting your time on such a project? Feel free to explain.

I have not taken the GIAC exams, but I have seen the SANS training
that goes along with them. Would it be presumptuous to think that the
exam content is based on the training?

BTW, I'm speaking for Java, C, and .NET (all three).

> The .NET exam is fairly well-rounded and talks about a lot of real
> world ASP.NET security issues, including recent technologies like LINQ
> and AntiXSS. Is it perfect? Definitely not. I think that good exams
> are a lot harder to write than people realize.

Isn't the problem with software security that people ship software
blindly, without quality or security built-in? What kind of message
does it send when an educator ships certification and training when
"no or little" thought goes into the outcomes and value-to-customer?
Isn't this the *exact* type of thinking we're trying to curtail?

> To suggest that anything that doesn't cover Silverlight and AJAX in
> depth barely "scratches the surface" of .NET security is preposterous.

You forgot to mention OOA&D and EAI along with Web 2.0. In my mind,
you can't even do Web 2.0 security unless you understand the security
implications of EAI and OOA&D.

This appears to be turning into an argument, so let me cut off that
thinking right now. I'm not arguing to look smarter or be cooler than
you. I'm making valid points about what I think needs to be done
versus what is actually happening. You appear to be putting words in
my mouth, so I also want to make corrections that validates my earlier
accurate assessment. I stand behind what I said, and there is little
you can do to counter it.

> The overwhelming majority of development in ASP.NET uses these
> technologies very lightly if at all and fundamentally they don't
> change the game with server-side code (where plenty of very serious
> vulnerabilities still hang out). I feel like the Web 2.0/AJAX/
> Silverlight/Cloud Security/Web Services topics and presentations are
> more about racking up speaking opportunities for consultants and are
> really over-represented in terms of the actual threat that these
> technologies pose.

Then why does ASP.NET lack XML encoding and CSRF protections: two
extremely valuable protections necessary for anything related to any
of the above technologies? Or missing LDAP parameterization while at
the same time, ADFS is being rolled out en mass? I guess the point
that you are missing is that we need to train these concepts now i.e.
"before" developers start using them. I think it's being proactive
instead of reactive. Your comment also appears to be directed towards
me - I'd like to know where I have racked up speaking engagements
around Web 2.0/Cloud? Who exactly is over-representing them?

I guess I would agree with you in theory that Web 2.0 and Cloud are
hype, but at the same time - the Microsoft ASP.NET team has done quite
a lot to improve the BCL for security, but nothing to help anything
external to the BCL...

Kind of like the same way that the Microsoft Vista team made sure that
all but 97 default executables and DLLs had ASLR and SafeSEH
protections, but did nothing to improve the situation for external,
often bundled, OEM and ISV software...


More information about the Owasp-phoenix mailing list