I visited Napier at lunchtime today to present at the Hawkes Bay .NET User Group.

The presentation was a mixture of my earlier web security talk and the talk I gave recently on the Anti-XSS library which helps when you need to encode untrusted data.

• The Microsoft Anti-XSS Library (use instead of HttpUtility.Encode)
• Security Runtime Engine - automatically encode ASP.NET control properties
• The Classifieds web site starter kit
• Which ASP.NET Controls Automatically Encode?
• Clickjacking video
• Framebusting:
  http://pageofwords.com/blog/2008/10/06/FrameBustingInJavascript.aspx
• OWASP - The Open Web Application Security Project - http://www.owasp.org

Subscribe to my blog: http://pageofwords.com

Cheers!

Kirk

When is it not safe to load an XML file into an XmlDocument object?

Any time the source is untrusted, it turns out:

Tom Hollander: Protecting against XML Entity Expansion attacks

That's one I haven't heard of before, and shows why every input from an untrusted source should be treated with care.

It reminds me of the zip expansion attacks that used to break mail servers 8 or so years ago:

Zip expansion attack. A large uniform file (for example 1 Gbyte of Zeros) is zipped and e-mail. AV or content filtering products attempt to unzip the attachment for checking, but are unable to do so because of lack of disc space. [ecommnet]

The old expanding file trick. What will they think of next?

Kirk

While it's not always like this...

... it's true that Rod does zoom around the office (although not always on the Segway).

[Rod on the Telecom Business Hub]

Kirk

I presented a talk at the Wellington and Auckland .NET user groups this month titled "Best Practices -  Caching". The goal of the talk was to discuss why we might need to add caching to our applications, and the way that we typically add it to each layer:

• Client-side: reducing data flowing to the server, enable caching through expiry etc
• ASP.NET: stashing data; page-level, fragment, IIS caching
• Business layer: cache objects to avoid computation
• Data layer: cache raw data from the database; identity maps
• Database: reduce hits on disk

The difficult part when caching at any layer is invalidating the redundant data that is stored in the cache when the source data changes. It's easier depending on the type of the data:

• Reference - shared reads (e.g. Catalog)
• Easy to cache and distribute
• Activity - exclusive write (e.g. Cart)
• Can cache each user's data separately
• Resource - shared, concurrency read/write, large number of transactions (e.g. Auction bid)
• Caching is hard
• DB is best source of data, with careful caching

The second half of the talk we looked at two caching technologies - memcached and Velocity.

The presentation: Caching.pdf 

Some links:

• Microsoft Project code named Velocity
• Steve Souders - High performance web sites
• YSlow

Kirk