[Owasp-phoenix] Meeting Tonight?

Alex Smolen me at alexsmolen.com
Thu May 7 20:14:24 EDT 2009

Firstly, I apologize if my post came off as an attack. Just wanted to  
present the other side of the argument - that the GIAC SSP exams have  
some decent content.

On May 7, 2009, at 2:47 PM, Andre Gironda wrote:

> On Thu, May 7, 2009 at 2:04 PM, Alex Smolen <me at alexsmolen.com> wrote:
>> Improving Web Application Security: Threat and Countermeasures:  A
>> tome. A bit out of date, but still has tons of useful info.
> This is a good one, I admit. You can even download it for free from
> Microsoft these days.
>> First, there are several other good books on .NET security:
>> ASP.NET 3.5 Security, Membership, and Role Management: This one talks
>> a lot about ASP.NET security and includes a lot of examples of
>> customizing membership and handling different real-world security
>> scenarios.
>> Beginning ASP.NET 3.5 Security (available for pre-order only)
> I'm having a tough time finding these. Are they Wrox press titles?

Professional ASP.NET 3.5 Security

Beginning ASP.NET 3.5 Security

By the way, I am the technical editor of the second one, but it is by  
no means my book - it belongs to Barry and WROX.

>> Second, to Andre, I don't think you're giving the GIAC SSP stuff a
>> fair shake. To be fair, I helped write a few of the questions and  
>> have
>> the Java GIAC SSP certification. I have very little reason to be
>> biased though - I thought the Java exam was ridiculously bad (which  
>> is
>> why I complained and got asked to help with .NET) and I don't
>> particularly care if the certification succeeds or fails.
> You're working on something, but you don't care if it fails? Sounds
> like you're really seriously dedicated to quality. Or perhaps the
> monetary or brand-recognition factors weigh heavily enough to consider
> wasting your time on such a project? Feel free to explain.

In terms of the GIAC .NET exam, I can only help as much as they ask me  
to. I can't really vouch for the whole thing, since it's not my baby.  
I think my questions are good though :)

> I have not taken the GIAC exams, but I have seen the SANS training
> that goes along with them. Would it be presumptuous to think that the
> exam content is based on the training?
They have training that they offer that is based off the exam, I  
believe. The exam content itself seems to be based off of whatever the  
people who write the exam feel like testing.

> BTW, I'm speaking for Java, C, and .NET (all three).
>> The .NET exam is fairly well-rounded and talks about a lot of real
>> world ASP.NET security issues, including recent technologies like  
>> and AntiXSS. Is it perfect? Definitely not. I think that good exams
>> are a lot harder to write than people realize.
> Isn't the problem with software security that people ship software
> blindly, without quality or security built-in? What kind of message
> does it send when an educator ships certification and training when
> "no or little" thought goes into the outcomes and value-to-customer?
> Isn't this the *exact* type of thinking we're trying to curtail?

I appreciate your point here, and I was a little bit too easy on the  
exam. I agree that any certification exam should be a reliable  
indicator of a certain level of knowledge. I think doing that is  
harder than people realize. That's why I am not a huge proponent of  
certs in general.
>> To suggest that anything that doesn't cover Silverlight and AJAX in
>> depth barely "scratches the surface" of .NET security is  
>> preposterous.
> You forgot to mention OOA&D and EAI along with Web 2.0. In my mind,
> you can't even do Web 2.0 security unless you understand the security
> implications of EAI and OOA&D.
OK. I'm not sure what you mean, but I probably agree with you. Design  
and architecture have huge security ramifications.

> This appears to be turning into an argument, so let me cut off that
> thinking right now. I'm not arguing to look smarter or be cooler than
> you. I'm making valid points about what I think needs to be done
> versus what is actually happening. You appear to be putting words in
> my mouth, so I also want to make corrections that validates my earlier
> accurate assessment. I stand behind what I said, and there is little
> you can do to counter it.
>> The overwhelming majority of development in ASP.NET uses these
>> technologies very lightly if at all and fundamentally they don't
>> change the game with server-side code (where plenty of very serious
>> vulnerabilities still hang out). I feel like the Web 2.0/AJAX/
>> Silverlight/Cloud Security/Web Services topics and presentations are
>> more about racking up speaking opportunities for consultants and are
>> really over-represented in terms of the actual threat that these
>> technologies pose.
> Then why does ASP.NET lack XML encoding and CSRF protections: two
> extremely valuable protections necessary for anything related to any
> of the above technologies? Or missing LDAP parameterization while at
> the same time, ADFS is being rolled out en mass? I guess the point
> that you are missing is that we need to train these concepts now i.e.
> "before" developers start using them. I think it's being proactive
> instead of reactive. Your comment also appears to be directed towards
> me - I'd like to know where I have racked up speaking engagements
> around Web 2.0/Cloud? Who exactly is over-representing them?

I think ASP.NET has some security gaps, and I'm on board with the idea  
that we need to get developers the materials they need to address  
those gaps.

I did not mean to target you - at all. I'm actually just as guilty as  
anyone - I presented at the first OWASP conference about web services  
security :) I don't think I'm the only one who recognizes that the  
security industry has "buzzwords" that generate a lot of interest,  
sometimes without a lot of merit.

> I guess I would agree with you in theory that Web 2.0 and Cloud are
> hype, but at the same time - the Microsoft ASP.NET team has done quite
> a lot to improve the BCL for security, but nothing to help anything
> external to the BCL...
> Kind of like the same way that the Microsoft Vista team made sure that
> all but 97 default executables and DLLs had ASLR and SafeSEH
> protections, but did nothing to improve the situation for external,
> often bundled, OEM and ISV software...

OK, I think that's probably a generalization regarding the BCL, but I  
get the jist. MS has done a lot for security, though. Anyone who's  
reviewed applications in ASP.NET, PHP, Java, etc probably has an  
opinion on who's created a more "securable" framework. In my opinion,  
ASP.NET is one of the easiest to create a secure application with.  
But, the job is far from over - still a lot of ground to cover, and of  
course the new technologies are always changing the game.


> Thanks,
> Andre

More information about the Owasp-phoenix mailing list