I presented at the NZ SharePoint conference
yesterday. It was a pretty impressive event - kudos to Debbie and the organising team.
My talk was split into two parts: what are some of the risks in running a SharePoint site; and how can you protect against them.
The risks I covered were cross-site scripting and malicious file uploads - MIME sniffing in IE, the recent MHTML attack and the ever-present risk of malicious PDF documents. The key takeaway is that any file uploaded could be malicious, and to think of how to mitigate those risks.
In the 'protection' section, I covered some SharePoint development best practices and stepped through SharePoint specifics on how to protect against XSS and CSRF. SharePoint has some pretty good protections built in the box, but if we're building our own web-parts we need to be vigilant.
The presentation should shortly be available from the conference website, with a video in a month or so. If you've got any questions please feel free to email me or get in touch.2011-03-17-NZSPC-KirkJackson.pdf (2.9 MB)