To prevent cross-site scripting, it's important to encode data before outputting it.

Up until now, it has been quite hard to ensure you're encoding everywhere throughout your app.

It's great to see the new syntax in ASP.NET 4 to automatically encode:

First Name: <%: Model.FirstName %>
Last Name: <%: Model.FirstName %>

<form method="post">
  <%: Html.TextBox("FirstName") %>
  <%: Html.TextBox("LastName") %>
</form>

(From Phil Haack's blog)

This means that for all new web applications, you can build using <%: %> instead of <%= %>, which is great for ASP.NET MVC applications where that syntax is common.

For older applications you will be able to opt in to the new encoding syntax, but your old code will keep working exactly as it already does (perhaps insecurely, if you're not encoding!)

Here's hoping that we'll be able to replace the standard HtmlEncode with the AntiXSS goodness I described here:

• What is encoding? Cross site scripting and the AntiXSS encoding methods

Kirk

Daniel presented this talk at the Wellington Silverlight user group last Wednesday.

I enjoyed this talk. Daniel went back to basics and showed how to get up and running with Silverlight and WPF development, covered the various layouts you can use in XAML, and went through some of the fundamentals of how XAML and code interact.

I think the part I most appreciated was the content that Daniel left out of his talk. He was very well prepared, and had intentionally kept things simple, which is hard to do when you have deep technical knowledge and enjoy sharing it - I struggle with keeping my talks focussed without diverting on a tangent.

Well done Daniel, I'm looking forward to your next talk!

Kirk

I attended Richard's Domain Driven Design introduction at the Wellington .NET user group back on the September 23.

Richard introduced Domain Driven Design and the motivations behind using it, covered the 'building blocks' and then gave some examples of how to put it in practice.

Richard has blogged the details of his talk here: Slides from my Domain Driven Design 101 Talk

I enjoyed Richard's slide deck, and his presentation style - simple slides so that my focus was on what he was saying. The parts of his talk that I took the most out of were the encapsulation of business logic into Specifications (different from the testing concept), and the explicit anti-corruption layer when interfacing with any external system.

Thanks Richard!

Kirk

We got some great feedback from attendees at this year's Code Camp in Auckland. I thought I'd share some stats from the survey sent to attendees.

We counted 300 people there at one time, so we estimate somewhere between 300 and 350 people came along for sessions during the day. Note that approximately half of the attendees responded to the survey that these figures were drawn from.

We had three streams: Development, SQL and Security.

Attendance was roughly:

• Development: 68%
• SQL: 19%
• Security 13%

Although, people could switch between streams as they wished.

Did you also go to TechEd?

• Yes: 30%
• No: 70%

How did you find out about Code Camp?

• dot.net.nz mailing list: 23%
• Co-worker: 35%
• MSDN Flash Email: 22%
• via a blog: 5%

Session feedback:

• 94% of session feedback was in the range 'satisfied' to 'very satisfied'
• 40% of feedback was 'very satisfied'

Regions:

• 85% from Auckland
• 4% each from Wellington and Bay of Plenty
• 3% each from Waikato and Canterbury

User groups:

• 51% of people attend one or more of their local user groups
• To the remainder: come along and join us!

The presenter with the most feedback on his sessions was the AWESOME Ivan Towlson.

We got lots of great general comments, here are a few:

Great work guys! Thoroughly enjoyed.

Really enjoyed the day - thanks guys!

Thanks for the opportunity for those of us who could not attend TechEd

I am a sole operator / consultant with very limited budget, so "free" events are really appreciated.  I am very happy to dedicate my time to attendance at events that are run as well as this was.  Thanks again.

We appreciate international visitors giving up their mornings to our benefit

I really enjoyed every session and thought that each one had a valuable piece of information to take away - well done!

Thanks everyone for your feedback (good and bad constructive), we'll use it all to help make the next community Code Camp even better!

To find out about future Code Camps, and user group events in your area, please visit the dot.net.nz website and sign up to a mailing list.

Kirk

I'm happy to be presenting two sessions at TechEd this year. It would be great to see you there!

DEV304 Visual Studio Team System 2010: Odyssey Two

Presenter: Kirk Jackson

Tue 9/15 | 17:10-18:25 | Ballroom 1

Visual Studio 2008 is the best and most productive development environment ever! Microsoft have been busy the past couple of years putting even more great features into your favourite tool, and in Visual Studio 2010 we'll be seeing: new programming languages; diagramming tools and visualisers; new project types; and enhancements to the IDE. Come along and hear about these great features, and learn some new tips to help you make the most of Visual Studio 2010!

SEC313 Hack-Ed: Teaching the Good Guys Bad Tricks

Presenters: Kirk Jackson, Andy Prow

Wed 9/16 | 12:10-13:25 | New Zealand Room 2

You can't fight a war that you don't know you're waging. You can't defend your website against attack unless you know the tricks that the bad guys will use.

Join the "Flight of the Pwnchords*" and learn the tricks that Andy "the hacker" will use and watch as Kirk "the developer" tries to defend his ASP.NET website against them. By the end of this session you will have an understanding of some of the common attacks, such as Cross-Site Scripting (XSS), Cross-Domain Request Forgery (CDRF), and will have an appreciation of how layering your defenses (defense-in-depth) can help protect you from exploit chaining.

The session will also give you some practical tips that you can apply straight away in Visual Studio 2008 to help you build secure websites.

(* AKA "New Zealand's fourth most popular comedy hacking duo")

Cheers,

Kirk

Visual Studio 2010 will have better support for a multi-monitor setup, but it's possible to get part of the way in 2008 already.

Toolbars and property windows (e.g. Solution Explorer, Class View) can be dragged into separate windows (2010 will add the ability to drag documents into separate windows too):

Window positioning gets a bit weird when you switch from one monitor to another, or change resolutions - a common occurrence when you're a laptop user docking and un-docking.

You can create two settings files, one for your single monitor layout, and one for your multi-monitor layout, and use them when starting Visual Studio 2008:

1. Arrange your windows the way you like them
2. Go to Tools > Import and Export Settings > Export selected environment settings
3. You get a great tree-view of every possible setting category in Visual Studio. Click the top node to deselect everything, and scroll down and select only General Settings > Window Layouts:
   
4. Save your settings file somewhere handy (e.g. d:\multimon.vssettings)
5. Repeat for each layout you like

Now you have two or more settings files, you just need to create a shortcut icon for each one somewhere in your start menu.

Edit the target, and add the parameter /resetsettings D:\multimon.vssettings to the end (replace the path with each settings file path).

Now when you launch your new shortcut, it will start Visual Studio 2008 with the correct window layout. Because you only exported and imported the Window Layouts, all the other settings stay the same.

You may also want to make these changes to your shortcut:

• Add the /nosplash parameter to your Target, to avoid the "Visual Studio" splash screen and make it slightly faster to start (perception is everything!)
• Check the Run as administrator option, which is useful if you often need to restart Visual Studio to connect to the ASP.NET worker process when developing under IIS.

Cheers,

Kirk

Previous VS2008 Tips:

• Visual Studio Tips n Tricks (DEV313)
• Visual Studio - Copy references
• Turn off outlining / regions in Visual Studio
• Visual Studio 2008 tip of the day - relive the series
• Explore files from Visual Studio
• Snippet Designer released
• Ctrl + . -- Bring up that annoying smart tag menu
• Temporary Projects - You don't have to save them
• Christchurch - Visual Studio Tips'n'Tricks
• Visual Studio - Regedit your tab ordering and add a column guide

Code Camp is less than two weeks away!

If you want to catch some free sessions on the state-of-the-art in .NET development, SQL Server and developer security then sign up for Code Camp Auckland 2009 now.

Code Camps are non-profit, and organised by members of the local developer community. This year the Auckland Code Camp is the day before TechEd (Sunday 13 September), so we've managed to nab a few great speakers on their day off to present to us.

It's the biggest Code Camp ever - over 14 hours of sessions across 3 streams from 10am till 5pm:

Development...

• What's Happening in .NET Languages and Why Should You Care?
• .NET on the iPhone and Beyond
• Behaviour Driven Development
• Domain Specific Languages
• C# 4.0 new features
• Silverlight with Prism
• Becoming Certified
• Lightning Talks
• and more!

The latest and greatest in development topics, by the people that know!

SQL Server?

• SQL Server Virtualisation Best Practices and Recommendations
• SQL Server Analysis Services and Gemini
• Query Optimization and Query Tuning
• Understanding SQL Server Indexing
• SQL Server Maintenance

Training and guidance from the best SQL trainers in the industry!

Security!

• Secure Development Lifecycle and Threat Modelling workshop
• Secure Coding Practices

We are lucky to have Michael Howard, author of Writing Secure Code and 24 Deadly Sins of Software Security giving a free workshop for developers, architects and team leads on Threat Modelling and the Secure Development Lifecycle. This will be followed by a session on how to write secure .NET code.

Auckland has never seen such an awesome free event!

Presenters that are offering their time include Greg Low, Nicholas Dritsas and Auckland's Alex Henderson of Architecture Chat fame.

To cover the costs of the event, we have the help of our generous sponsors: Microsoft, Datacom, Intergen, INETA and Xero.

All that's left for you to do is to visit the website for more details, and sign up now!

See you there on Sunday 13 September,

Kirk

Today at the Wellington .NET User Group, Kevin presented a talk on "Windows Mobile 6.5 Widgets".

Kevin has kindly provided his slides and samples for download:

I found this interesting. I haven't developed any applications for Windows Mobile, though I have played around a bit with the emulator and deploying code from within Visual Studio.

Widgets seem like a lot simpler application development model than native or compact framework applications. The application development model is similar to Vista sidebar gadgets, as there is a packaged zip file containing the application inside - and the application is 'simply' Javascript and HTML. Widgets can use XHR or DOM manipulation, and have access to a small amount of local storage to store preference information.

Windows Mobile 6.5 treats widgets as first-class application citizens within the OS - they have icons on the revamped start screen, and appear in the uninstall screen. As far as the user knows, they are the same as a native application.

Where the process is currently let down is in deployment and debugging. Currently a widget can only be deployed through the Windows Mobile marketplace, after the developer has signed up and the application has been reviewed (I think!). Debugging from Visual Studio seems non-existent, meaning that development is through trial and error.

I could see an enterprising person (like Kevin) building a Javascript library that simulated the API provided by the widget infrastructure, so that widgets could be developed and tested on a desktop before being deployed on a device. Kevin, am I right that all that is needed is the Widget object and some fake ActiveX controls?

All up, an interesting session.

Cheers!

Kirk

Today I went to Nelson for lunch, and presented on Caching to the Nelson .NET User Group.

The talk was a repeat of my Wellington and Auckland talk from a few months ago, and covered various places you typically cache data in a .NET app, motivating the discussion of memcached and Velocity.

It was nice to get down to Nelson to briefly soak up the sun and meet a few new people.

View my previous post on Caching for further info.

Thanks for having me Daniel!

Kirk

So this was a few weeks ago, but I thought I would post some notes here anyway.

Bevan gave a talk at the Wellington .NET User Group titled "Towards Supportability" (view his slides and notes).

Apart from marvelling at his good looking slides, the main thing I took away from his talk was the points he made on documentation. Bevan gave an approach for document systems for the person fighting the fire when all hell breaks loose. When a system is broken, and people are all over the poor systems administrator to fix it, they don't need thick architecture documents, they need something quick and actionable.

The 'Supportability' document structure:

• Architecture - a summary of physical deployment
• Symptoms - a list of failure modes that users might encounter
• Actions - possible remedies
• Procedures - step by step instructions for common procedures
• Reference - additional reference material

The most important parts are the symptoms and actions - how to diagnose what's wrong and how to recover from it.

Cheers Bevan!

Kirk

There's a lot of technology groups in Wellington. I decided to get together a list of all of them so that we could see if we clash on our regular meeting days. Please let me know if your group is missing, or the details need updating.

Most of these groups run free events with the support of their sponsors!

Form more info about geek events in Wellington, head over to wellington.geek.nz or dot.net.nz.

Microsoft technology focussed:

• Wellington .NET User Group: First and Third Wednesday of the month
• Wellington SQL: Third Thursday of the month
• Wellington Sharepoint: Last Wednesday of the month
• Wellington Dynamics: No fixed day, normally near the end of the month
• Wellington Infrastructure: Monday night, once every 2 months
• Wellington Silverlight: Monthly
• Wellington Team System: Bi-monthly
  

Other technologies:

• OLPC Friends in Testing: Saturday mornings
• Wellington Python User Group: Second Thursday of the month
• Erlang Users Group: first Thursday of the month
• Wellington Perl Mongers: second Tuesday of the month
• Wellington Creative Suite User Group: First Tuesday of the month
• Flex User Group: Second Wednesday of the month
  
• Wellington Java user group: third Wednesday of the month
• WellRailed
• Wellington PHP Group
• WellyLUG Linux User Group: Third Wednesday of the month
• Wellington Macintosh Society: Mondays
• Wellington Agile Professionals Network: Mondays
• Wellington Novell Users International: Monthly
  

Technology 'agnostic':

• Wellington Geeks Lunch: Tuesday lunchtime
• Unlimited Potential: various days of the month
• NZ ICT - voice of industry
• Wellington Solution Architects Forum: lunchtime
• Wellington's Web Design & Dev Meetup
• Thursday Night Curry: Thursday evenings
• Information Security Interest Group (ISIG): Last Thursday of the month
• Technical Communicators Association: Last Monday of the month
• Test Professionals Network
• NZ Computer Society

Happy Geeking!

Kirk

Craig, Owen and I (all from Xero) went along to the Wellington Summer of Code session last night to demo Visual Studio, the .NET runtime and ASP.NET MVC to 30-ish eager and willing University Students.

It was an interesting time. Allfields hosted us in a couple of their training rooms, which was pretty cool as the students got to follow along using their own copies of Visual Web Developer. The Allfields facility is pretty good - each room had about 20 PCs for students to use, and the guys there set up a video link between the two rooms.

Students: If you're got .NET questions, be sure to sign up to the dot.net.nz mailing lists.

I'm looking forward to meeting with the students again as the programme continues, and hopefully work with one of them at Xero!

Kirk

If you store, transmit or process credit card data, PCI applies.

How can OWASP help you with PCI compliance?

Credit card data:

• Primary Account Number (PAN): Can store it, but protection required.
• Can never store the CVD 3 digit number or mag stripe

Card data attacks have been increasing in sophistication.

PCI-DSS affects anyone who transmits, processes or stores payment card data. E.g. merchants, service providers (e.g. Paymark, DPS).

Look at 12 requirements of PCI-DSS (firewalls, storage etc)

Protecting stored data:

You must not store sensitive authentication data. Principle: if you don't need it, don't store it. Consider outsourcing, truncation, tokenisation.

Tokenisation: Replace PAN with a unique identifier "token"

Truncation: don't store all the data (e.g. first 4, last 4 digits)

Encryption: Encrypt at point of capture, only decrypt when required, use industry standard encryption, protect your keys.

Developing secure applications / Test app was built securely / Use secure coding guidelines:

Standard OWASP guidelines

Annual risk assessment:

Every year, new threats will affect your site. Go and re-assess against the new threats.

Fixing legacy systems: make sure no old data is lying around.

Real life example: it's very easy to mess up (example of reverting to old code)

Parting thoughts: achieve, maintain and validate compliance. Secure development is a key activity. OWASP is a good source. Reduce storage of PAN data.

Bug chaining - an idea that hasn't really propagated yet.

How do we rate how severe a bug is? Consider how easy it is to exploit, where it is accessible from (client-side, server-side, internet, local, mass exploitable, targeted exploit, etc).

Audience attempted to rate the severity of a couple of bugs:

• SQL injection on authenticated site -> medium/high
• File upload php files on authenticated site -> high/critical
• Local file disclosure -> medium/high
• XSS - reflective, authenticated -> low/medium

Is attacker considered 'authenticated' once there is an XSS attack? Any subsequent attacks can be treated as authenticated.

When you join together the XSS bug with the file upload bug, then it's critical!

Bug chaining: taking multiple bugs and chaining them together to create exploitable vulnerabilities. Instead of looking at each individual bug, look at how they can be combined together.

There are now frameworks to help chain together exploits - and this is how a lot of worms now work.

Recent examples of chaining exploits: PHPMyAdmin <= 3.1.3; SugarCRM <= 5.2.0e - compromise server through 3 bugs together.

How to deal with this? CVSSv2:

• Common Vulnerability Scoring System v2.0
• Scoring system for assessing bugs
• Considers exploit complexity, application location, authentication, target likelihood etc
• Can be very complex, time consuming, difficult to follow

"You can explain this stuff all day, but when network admins actually see you do it, that's when they understand" Brett Moore

VtigerCRM - large open-source CRM system which fixed problems with a security patch, but don't link to the fix (and haven't installed it themselves!).

He wrote a BeEf module for VtigerCRM that can run as an auto-run module (took less than 2 hours to write):

• Chains file upload and XSS bug to upload a malicious PHP script to start a command shell
• Connection is from server to the attackers machine, so user doesn't need to stay connected

Summary:

Don't look at severity of individual bugs - need to look at how bugs can be joined together.

Understand the bugs.

Follow the OWASP coding and testing guidelines.

Tools:

• BeEf - command console for an attacker to run script on the client computer. Modular list of exploits, and control multiple victims. Autorun modules to automatically execute modules within 1.5-2 seconds.

Firefox extensions: They're just software, like ActiveX. Extend, modify and control the browser.

Firefox extension points:

• XUL: XML user interface language
• XBL: XML Binding Language - logical behaviour of widgets
• XPCOM: Reusable components, interface to file system etc.
• XPConnect: Allows Javascript to connect to XPCOM
• Chrome: Special browser zone that is fully trusted by firefox - code is fully trusted, has access to filesystem, user passwords etc.

Mozilla security extension model is non-existent. All extensions are fully trusted by Firefox - no boundaries between extensions, they can modify each other without the user knowing. Can be coded in C++ and subject to memory corruption etc.

Extensions are very popular (billion downloads) and can be found everywhere - social networks, search engines, software packages (skype, anti-virus), anti-phishing toolbars.

Biggest problem is the human side of things - Addins.mozilla.org recommend extensions and add a 'recommended' icon next to them. Extension source code isn't read by third parties ("It's not the linux kernel").

There's no protection from an extension with a security problem, it will bypass any other phishing / malware protection extensions.

Extensions aren't signed (even the Mozilla ones), so we can't rely on people checking signatures.

If an extension is originally trusted, then subsequent updates won't go through the same review process.

No current guidelines for testing a Firefox extension, so security-assessement.com havce come up with their own methodology (whitepaper to be released this year, early next year):

• Isolated testing: Only test one extension at a time, on different OSes with different Firefox versions.
• Information gathering: How does the extension work, how is it installed? Look inside the extension package (a zip file) and look for malicious files (e.g. .exe, .msi etc)
• Look for XPInstall API functions that are dangerous (e.g. executing code on install)
• Look for suspicious files in the extension folder (e.g. softlinks to other directories)
• Look inside install.rdf - some tags can hide extensions so they don't appear in the addon manager
• Extensions can have the same description as other installed extensions, so two appear in addon manager
• Does the extension try to trick the user into thinking it's verified?
• Look for pointers outside the extension, or flags that expose the extension object or content to untrusted code (e.g. contentaccessible=yes or xpcnativewrappers=no)
• Extensions can be merged into the firefox UI - e.g. top toolbar, bottom status bar. They can also modify existing buttons e.g. Reload, Back, Forward or Home button.
• Use the extension. Check the DOM of a test page with the extension loaded (they used mozreply to do this)
• Debugging: can set breakpoints using Javascript debugger.
• Sandbox: can be sidestepped by replacing code inside the sandbox or evaluating it from outside
• XPCOM components: .dll or .so - compiled code that the extension may ship with, or may use existing components on the machine. May need to review source code or decompile. A bunch of components to watch out for.
• wrappedJSObject: removes the protection of the XPComComponent, so they are avoiding the firefox protection.
• Watch out for callback functions, which may be replaced / modified
• window.OpenDialog: Opens any URI with elevated chrome privileges
• Auth: Some expose credentials in plain text, e.g. GET or basic auth
• Auth: Some expose functionality via javascript that can side-step normal process
• Skype extension - a javascript call that any web page can use to start dialing your skype to any
• XSS: Watch out for XSS issues - can execute in the chrome zone from DOM events, embedded XSS, recursive iframes
• XSS: Extensions loading external scripts

They have applied their methodology to different extensions, and some responses have been slow or non-existent!

Here are some extensions that were demoed and had problems. They are all common or Mozilla recommended (all these have been fixed):

• FireFTP: Could include malicious code in the welcome method of an FTP server, and the browser would execute it. Showed a proof of concept sending the contents of win.ini to a different server, and using BeEf to control client.
• CoolPreviews: Susceptible to XSS if a data:// URI is used. Showed a remote code execution when right-clicking on a link and previewing it with CoolPreviews.
• WizzRSS: HTML and Javascript in the <description> tag of RSS feeds is executed in the chrome zone. Showed a reverse shell onto the Windows machine from a malicious users machine.

Extension developers and vendors haven't got a security disclosure process yet - they don't know how to deal with the issues yet. Some extensions don't even publish an email address for the author.

Tools:

• Firebug
• MozRepl
• BeEf - command console for an attacker to run script on the client computer.

With shift to web services, where we are relying on client to secure stuff, we have to remember not to trust the client.

Gave a methodology for testing web services:

• Service discovery:
• Look for WSDL or similar files that contain service info, using search engines, site spidering or looking at app behaviour
• Method discovery:
• Look inside the WSDL to see what methods are available, or if there isn't one, you can brute force the webservice with common method names to find ones that exist.
• OWASP top 10. These still all apply to web service calls, including:
• Malicious file execution, insecure direct object reference,
• CSRF with AJAX clients
• Information leakage
• Broken auth and session mgmt
• Insecure crypto storage
• Insecure communications - SSL is important
• Failure to restrict URL access - protect admin etc web services from anonymous access
• Web service specific tests:
• XML issues (external entities, malformed XML, recursive XML, XML entity expansion, XML attribute blowup, overlarge XML and CDATA injection)
• Can find out details inside the secure network, and CSRF etc machines in there.
• WS-Routing issues
• WS-Security is not a panacea - secures the method integrity and confidentiality, but doesn't stop bad stuff coming through.

Tools shown:

• SIFT web method search tool - brute force the web service to find out which methods are supported.
• Foundstone WS Digger - automate attacks against web services (XSS, SQL, Xpath etc)
• Webscarab - to modify XML posted to web services and try connecting to external entities

If you don't own the 3 OWASP books, you've failed.

We're still facing the same vulnerabilities we already have, because we are doing something wrong. Maybe it's security professionals that are doing something wrong, by not educating developers properly.

Big security companies still having problems with their websites.

Most vulnerabilities are well known.

Security people don't write code. developers do. They don't "get" security:

• Don't fix the root cause
• Don't understand the threat
• Most have never seen a vulnerability exploited

Sitting down with developers and stepping them through a vulnerability helps show them the light and they understand and think about vulnerabilities.

Talk today designed to show developers exploits in action.

Tools showed:

• Burp - proxy tool for intercepting requests
• A custom sitemap tool that Insomnia uses
• An MS-SQL Enumeration tool that takes a vulnerable url and pulls out all the DB info using the master db to enumerate tables
• ASPX Spy - if you can get this ASP.NET file up on to a server and run, it provides a UI for playing around with the OS.
• SQL Map - an automatic SQL injection tool - can enumerate the DB, even if the data is not displayed by inferring the state of the db based on the page output.

Problems shown:

• Robots.txt is not a place to list parts of your site that you don't want people to know about :)
• Buying -1 quantity of a $1000 book leads to the users credit on the shopping site increasing by $1000 :)
• XML parsing vulnerability that allows external entities to be referenced in the XML provided to a web service - which can pull the contents of a file off the server.
• Query string parameters passed to the command interpreter, and used for file names.
• PHP include let's you include PHP source from another web server (looks like you need to disable URL fopen wrappers).
• Only securing GET requests to an admin directory.
• Showed a fake version of the CCIP website with multiple problems.
• Admin interface for a website is exposed to the internet.

Open questions:

• Who owns server configuration? Architects, developers, system administrators? If server or framework config changes, then we're insecure.
• Is it security professionals job to make sure problems are corrected?

Paul raised the question: "Is internet security getting better or worse?"

By 2004 we had bought lots of security products, and now only port 80 is the only open port (default DENY). Hackers started hacking web apps instead.

Classic ASP was easy to hack. until in 2005 when vendors started releasing safer technology frameworks (2005? We were using it in 2002)

Note: ASP.NET doesn't have XSS protection built in, unless you leave ValidateRequest on (which no-one does), as controls only sporadically escape their output.

Paul looked at Security-Assessment's old pen-test projects and compared their vulnerabilities to those run recently.

"In 2003-2005, web application developers were F$%^&* bad"

"Developers fail at anything to do with files"

But the situations hasn't got much better lately. Admin sections are still accessible, SQL injection still found, but less common, file uploads allowing directory traversal.

When developers use framework security controls, they're okay. If they use custom security code, they mess it up.

"Less vulnerabilities in 2009 resulted in a shell"

"Security only works flawlessly when it's already implemented in the framework" - when developers build their own code, they normally mess it up.

Summary: The internet is getting more secure, but we're not there yet! Only need one bug to get in to a system.

Well, what did I learn while at Code Camp last weekend.?

• Wellington .NET dev community is passionate and quite diverse
• Objective C is more smalltalk-ish than I realised from previous snippets I had seen
• Xcode IDE is less 'integrated' than Visual Studio
• I now know more about CRM and other Microsoft solutions
• A panel discussion (Usability or Security) can be fun when the audience participates
• How to make my code slightly more maintainable
• Code contracts gel with me more than Spec# did. and I like them
• F# continues to be awesome and yet awe-inspiring
• Sync framework looks like a good solution for occasionally connected apps, with a good set of functionality out of the box
• And I demoed a beta IDE in a beta VM on a beta OS (VS2010 in Windows Virtual XP on Windows 7)

Sponsors are awesome!

• Whitireia Community Polytechnic (in particular, the Bachelor of Information Technology staff) were very accommodating hosts
• Mindscape surprised by offering prizes of 2 LightSpeed licenses and one "bundle of everything"
• Microsoft NZ sent through prizes, and the Microsoft MVP Programme sponsored some of the costs
• INETA APAC, the International .NET Association also sponsored some of the costs
• Xero also sponsored towards the costs
• DTS provided internet for the weekend

Go Go Gadget. Karting!

I had fun at the go-karts. The winners of the team event were Simon and Bert:

I'm looking forward to the Code Camp this weekend. We've got an interesting range of talks lined up over the two days, and I'll be doing a short talk on what's coming in Visual Studio 2010.

As well as organising the finances and food, I've organised the social event for Saturday night. It's going to be fun!

Code Camp Social Event

6:30pm, Sat 13 June @ North City Indoor Raceway 3 Raiha St, Porirua http://bit.ly/g6gLf

Food at 7pm, racing shortly after. Finish by 9pm.

A family-friendly go-kart race, with geek-against-geek action.

The karting is at the North City Indoor Raceway: http://www.ubd-online.co.nz/indoorkarting/ (see "The Races")

There will be a team race where each team will relay through each driver 3 times, giving 30 laps of racing per person. Everything is computer-timed to find out which team wins, and spectators are welcome to watch.

The food will be BBQ/Salad/Chips, and you can BYO drinks (I'll hopefully have some money left to bring a little along).

Karting plus food: $40
Food only: $10

Spouses and older kids are welcome to kart at the above prices, or come along just for food and cheer your team on!

Many thanks to our sponsors: Whitireia, Xero, Microsoft MVP, INETA, DTS

I visited Napier at lunchtime today to present at the Hawkes Bay .NET User Group.

The presentation was a mixture of my earlier web security talk and the talk I gave recently on the Anti-XSS library which helps when you need to encode untrusted data.

• The Microsoft Anti-XSS Library (use instead of HttpUtility.Encode)
• Security Runtime Engine - automatically encode ASP.NET control properties
• The Classifieds web site starter kit
• Which ASP.NET Controls Automatically Encode?
• Clickjacking video
• Framebusting:
  http://pageofwords.com/blog/2008/10/06/FrameBustingInJavascript.aspx
• OWASP - The Open Web Application Security Project - http://www.owasp.org

Subscribe to my blog: http://pageofwords.com

Cheers!

Kirk

When is it not safe to load an XML file into an XmlDocument object?

Any time the source is untrusted, it turns out:

Tom Hollander: Protecting against XML Entity Expansion attacks

That's one I haven't heard of before, and shows why every input from an untrusted source should be treated with care.

It reminds me of the zip expansion attacks that used to break mail servers 8 or so years ago:

Zip expansion attack. A large uniform file (for example 1 Gbyte of Zeros) is zipped and e-mail. AV or content filtering products attempt to unzip the attachment for checking, but are unable to do so because of lack of disc space. [ecommnet]

The old expanding file trick. What will they think of next?

Kirk

While it's not always like this...

... it's true that Rod does zoom around the office (although not always on the Segway).

[Rod on the Telecom Business Hub]

Kirk

I presented a talk at the Wellington and Auckland .NET user groups this month titled "Best Practices -  Caching". The goal of the talk was to discuss why we might need to add caching to our applications, and the way that we typically add it to each layer:

• Client-side: reducing data flowing to the server, enable caching through expiry etc
• ASP.NET: stashing data; page-level, fragment, IIS caching
• Business layer: cache objects to avoid computation
• Data layer: cache raw data from the database; identity maps
• Database: reduce hits on disk

The difficult part when caching at any layer is invalidating the redundant data that is stored in the cache when the source data changes. It's easier depending on the type of the data:

• Reference - shared reads (e.g. Catalog)
• Easy to cache and distribute
• Activity - exclusive write (e.g. Cart)
• Can cache each user's data separately
• Resource - shared, concurrency read/write, large number of transactions (e.g. Auction bid)
• Caching is hard
• DB is best source of data, with careful caching

The second half of the talk we looked at two caching technologies - memcached and Velocity.

The presentation: Caching.pdf 

Some links:

• Microsoft Project code named Velocity
• Steve Souders - High performance web sites
• YSlow

Kirk

I appreciate good humour more than I appreciate politics, and most of the credit I gave to our former prime minister Helen Clark was for her sharp wit.

It's great that we have a funny guy as our prime minister in New Zealand:

Hat tip to Rod on our Xero blog

Kirk

I've just been awarded Cobol Developer of the year for 2009!

It has been a great ride at Xero, from releasing our first beta little more than 2 years ago, to racking up our 6000th customer this week.

Some people doubted us for picking a VSE/ESA environment and the IBM compiler, but the support for 31 bit addressing and dynamic calls really accelerated our development of a Web 2.0 software product.

I'd like to thank all the other forward thinking members of our team for choosing and building on a great platform, and encouraging me to achieve this award.

Kirk

Deleting your POP3 mailbox using telnet, since Gmail doesn't do it properly :)

I'm using Gmail to check and download my Paradise (ISP) email. This means I can read (almost) all of my personal email in one place.

Gmail appears to only have one option for deleting mail: "Leave a copy of retrieved messages on the server". If you set this option it immediately deletes your mail from the POP server after downloading it to Gmail, which means that you can't check it with an alternate client.

Other mail clients allow you to leave mail on your mail server for a number of days, so I normally set this to 7 days so that if I need to fire up a different client or use my ISP's mail, then I can see recent email. Gmail doesn't have this option, which means if you don't delete mail from your POP account, it will eventually fill up.

For completeness, the sequence of commands to type into telnet to delete a bunch of your mail:

> telnet pop3.paradise.net.nz 110

USER <username>  // Your POP username
PASS <password>  // Your POP password

STAT                        // Lists the number of messages (e.g. +OK 1108 19255723, which means 1108 messages)

// Then for each message
DELE 1
DELE 2
...                         // I used a spreadsheet to quickly generate a list of DELE's from 1 to 1108)

Mission accomplished. An empty POP mailbox without installing (or writing) any extra code :)

Kirk

Well done to the SilverStripe team for getting into the new Microsoft Web Platform installer:

The installer helps people get web applications up and running in a flash, and it's great to see SilverStripe alongside 9 other big-named web apps. This should be great for the initial out-of-the-box experience for their users, and for exposure to new users.

See Nigel's blog for more details.

Jeff Moser writes How .NET Regular Expressions Really Work.

I've got a soft spot for regular expressions (programming Perl can do that to you), and while I understand backtracking and greedy / lazy matching, I've never actually read the source code for a regex library before.

If you haven't either, and want to benefit from someone else's description of the 14,000 lines of .NET regular expression library, you'll enjoy this post.

Kirk

Ewan Tempero, a lecturer and supervisor of mine from my days at VUW (now at Auckland Uni) is part of a survey to find out what we actually practice in software engineering, so that they can compare it to what is being researched and taught:

sefolklore.com

Fill in the survey, it will take less than 10 minutes.

(Watch out for the 'rank the following 6 statements' question -- you can only put a rank against one statement)

Kirk