Thursday, May 28, 2009

I visited Napier at lunchtime today to present at the Hawkes Bay .NET User Group.

The presentation was a mixture of my earlier web security talk and the talk I gave recently on the Anti-XSS library which helps when you need to encode untrusted data.

Download File - Presentation

Subscribe to my blog:



posted on Thursday, May 28, 2009 10:56:37 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [3]
 Friday, May 22, 2009

When is it not safe to load an XML file into an XmlDocument object?

Any time the source is untrusted, it turns out:

Tom Hollander: Protecting against XML Entity Expansion attacks

That's one I haven't heard of before, and shows why every input from an untrusted source should be treated with care.

It reminds me of the zip expansion attacks that used to break mail servers 8 or so years ago:

Zip expansion attack. A large uniform file (for example 1 Gbyte of Zeros) is zipped and e-mail. AV or content filtering products attempt to unzip the attachment for checking, but are unable to do so because of lack of disc space. [ecommnet]

The old expanding file trick. What will they think of next?


posted on Friday, May 22, 2009 8:54:43 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, May 20, 2009

While it's not always like this...

... it's true that Rod does zoom around the office (although not always on the Segway).

[Rod on the Telecom Business Hub]


posted on Wednesday, May 20, 2009 11:53:38 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]
 Monday, May 18, 2009

I presented a talk at the Wellington and Auckland .NET user groups this month titled "Best Practices -  Caching". The goal of the talk was to discuss why we might need to add caching to our applications, and the way that we typically add it to each layer:

  • Client-side: reducing data flowing to the server, enable caching through expiry etc
  • ASP.NET: stashing data; page-level, fragment, IIS caching
  • Business layer: cache objects to avoid computation
  • Data layer: cache raw data from the database; identity maps
  • Database: reduce hits on disk

The difficult part when caching at any layer is invalidating the redundant data that is stored in the cache when the source data changes. It's easier depending on the type of the data:

  • Reference - shared reads (e.g. Catalog)
    • Easy to cache and distribute
  • Activity - exclusive write (e.g. Cart)
    • Can cache each user's data separately
  • Resource - shared, concurrency read/write, large number of transactions (e.g. Auction bid)
    • Caching is hard
    • DB is best source of data, with careful caching

The second half of the talk we looked at two caching technologies - memcached and Velocity.

The presentation: Caching.pdf 

Some links:


posted on Monday, May 18, 2009 10:40:13 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]