I presented at the NZ SharePoint conference yesterday. It was a pretty impressive event - kudos to Debbie and the organising team.

My talk was split into two parts: what are some of the risks in running a SharePoint site; and how can you protect against them.

The risks I covered were cross-site scripting and malicious file uploads - MIME sniffing in IE, the recent MHTML attack and the ever-present risk of malicious PDF documents. The key takeaway is that any file uploaded could be malicious, and to think of how to mitigate those risks.

In the 'protection' section, I covered some SharePoint development best practices and stepped through SharePoint specifics on how to protect against XSS and CSRF. SharePoint has some pretty good protections built in the box, but if we're building our own web-parts we need to be vigilant.

The presentation should shortly be available from the conference website, with a video in a month or so. If you've got any questions please feel free to email me or get in touch.

2011-03-17-NZSPC-KirkJackson.pdf (2.9 MB)

Cheers,

Kirk

This month I gave a similar talk to two user groups. The OWASP Wellington (and Auckland over video conference), and the Wellington .NET user group both invited me to speak on: "I know what you did last summer; The latest from the world of web hacks".

This was a fun talk to deliver. The focus was on recent web 'hacks' that had occurred in the past few months (I used a pretty general definition of 'hack'), but the main discussion was around the lessons that we could learn from these issues and what we could draw back into our own projects.

I think this talk had the most amount of interaction out of any of my previous talks. There was lively discussion about what the root cause of the problem was, whether it was even fixable at all, and we lamented the effects of 'users' :)

Since the .NET talk was a superset of the OWASP one (it was longer), I've included those slides below:

2011-03-09-WellingtonNet.pdf (2.07 MB)

Thanks for coming!

Kirk

Last month I started in a new role at Aura Software Security, where I am a security consultant. I'm excited about all the fun stuff I'll be doing, getting involved with security advice, training and testing at all stages of the development lifecycle.

However, starting a new job means leaving another, and I'm sad to leave Xero. It has been a blast working at Xero, and I have made some great friends, had a lot of laughs, and been a part of building something pretty special.

In terms of this blog, I predict that nothing much will change -- I will continue to post infrequently, usually triggered by a promise to post some event slides or other online. If you're subscribed, you've probably noticed that most of my posts tend to be around web security, and I doubt that will change!

Kirk