Thursday, July 14, 2011

Today I'm presenting at the awesome WDCNZ conference, organised by Owen and the fine folks at Xero.

The talk discusses some of the new browser features that will help to protect you from XSS, man-in-the-middle and other attacks.

Please download, and send through any feedback or questions: KirkJackson-WDCNZ-GetAHeader-online.pdf (1.35 MB)

posted on Thursday, July 14, 2011 1:52:31 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, April 06, 2011
Andy and I presented at the first NZ ALM conference today -- a conference covering all aspects of the application lifecycle, and use of the Visual Studio ALM suite of tools.

Our talk covered the Security Development Lifecycle, and gave some 'motivating examples' of different recent hacks, exploits, or just plain quirks that demonstrated how thinking about security at each stage of the lifecycle can help protect the security and privacy of your users, businesses and their data.

Here's the presentation, including links to useful web references:

2011-04-06-NZALM-KirkJackson-AndyProw.pdf (4.4mb)

posted on Wednesday, April 06, 2011 10:40:13 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Friday, March 18, 2011
I presented at the NZ SharePoint conference yesterday. It was a pretty impressive event - kudos to Debbie and the organising team.

My talk was split into two parts: what are some of the risks in running a SharePoint site; and how can you protect against them.

The risks I covered were cross-site scripting and malicious file uploads - MIME sniffing in IE, the recent MHTML attack and the ever-present risk of malicious PDF documents. The key takeaway is that any file uploaded could be malicious, and to think of how to mitigate those risks.

In the 'protection' section, I covered some SharePoint development best practices and stepped through SharePoint specifics on how to protect against XSS and CSRF. SharePoint has some pretty good protections built in the box, but if we're building our own web-parts we need to be vigilant.

The presentation should shortly be available from the conference website, with a video in a month or so. If you've got any questions please feel free to email me or get in touch.

2011-03-17-NZSPC-KirkJackson.pdf (2.9 MB)


posted on Friday, March 18, 2011 10:42:33 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, March 09, 2011
This month I gave a similar talk to two user groups. The OWASP Wellington (and Auckland over video conference), and the Wellington .NET user group both invited me to speak on: "I know what you did last summer; The latest from the world of web hacks".

This was a fun talk to deliver. The focus was on recent web 'hacks' that had occurred in the past few months (I used a pretty general definition of 'hack'), but the main discussion was around the lessons that we could learn from these issues and what we could draw back into our own projects.

I think this talk had the most amount of interaction out of any of my previous talks. There was lively discussion about what the root cause of the problem was, whether it was even fixable at all, and we lamented the effects of 'users' :)

Since the .NET talk was a superset of the OWASP one (it was longer), I've included those slides below:

2011-03-09-WellingtonNet.pdf (2.07 MB)

Thanks for coming!

posted on Wednesday, March 09, 2011 8:17:00 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
Last month I started in a new role at Aura Software Security, where I am a security consultant. I'm excited about all the fun stuff I'll be doing, getting involved with security advice, training and testing at all stages of the development lifecycle.

However, starting a new job means leaving another, and I'm sad to leave Xero. It has been a blast working at Xero, and I have made some great friends, had a lot of laughs, and been a part of building something pretty special.

In terms of this blog, I predict that nothing much will change -- I will continue to post infrequently, usually triggered by a promise to post some event slides or other online. If you're subscribed, you've probably noticed that most of my posts tend to be around web security, and I doubt that will change!


posted on Wednesday, March 09, 2011 8:09:04 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]
 Wednesday, September 29, 2010

Thanks to those user group members and Xero partners that came along to our talk today.

We covered the two vulnerabilities released last week, the workarounds, and the patches that were released this morning.

Here are the slides: KirkJackson-PaddingOracle.pdf (641.14 KB)

All ASP.NET applications are affected. The best thing to do is install the patches released this morning.

Problem & bulletins:

Security bulletin MS10-070

Useful info on ScottGu's blog

Forum about the security vulnerability

Video of a site exploit, even with the workarounds applied


Scott Gu's writeup of the patch

Post-mortem of the patch - Marc Brooks

How to configure the new patched features


Juliano Rizzo and Thai Duong and their POET tool

Padbuster tool (including a great writeup of Padding Oracles)

posted on Wednesday, September 29, 2010 8:25:39 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Monday, September 27, 2010
If you're in Wellington this Wednesday and you develop, maintain, manage or host ASP.NET or SharePoint websites, please do come along to hear about the security vulnerability disclosed a week ago:

posted on Monday, September 27, 2010 9:08:47 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, September 01, 2010

Here's the presentation I delivered at the Auckland Code Camp 2010. It covers 10 things that I found when surveying attendees websites :)

posted on Wednesday, September 01, 2010 4:18:01 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, August 26, 2010

If you're in Auckland this Sunday, come along and check out the latest Microsoft technologies from MS Communitiesmsc-logo.


It's happening Sunday 29 August from 930am till 530PM at the University of Auckland Business School. This is a free event so please Register and attend



The MS Communities website is at with the days agenda

posted on Thursday, August 26, 2010 1:07:55 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, July 15, 2010
dean.jpgUsed to be a QSA (Qualified Security Assessor). There are now 8 in NZ.

The QSA wears the risk and signs you off for PCI compliance.

There are no silver bullets for PCI stuff.

"It's a hell of a roller-coaster ride"

He has seen 2.5 million credit card numbers in NZ, in the clear, in many website databases.

One guy Albert Gonzalez compromised 170 million credit cards across many large corporations.

PCI requirements:

"Protect stored data": 79% of orgs fail on this.

PAN (account data) must be unreadable when stored.

You can never store mag stripe data.

"Track and monitor all access to network resources and cardholder data"

"Develop and maintain secure systems and applications" - 56% of organisations fail on this


1. Card holder data gets everywhere

2. Keep test and development environments out of scope. Don't use real live data in them.

3. The good: payment gateways and companies that handle cards - they do a good job. They outsource to experts.

The bad: small merchants with a few transactions. Cheap website with cheap hosting. Easily compromised.

The ugly: corporates. Great staff but don't make any progress.

If you're a merchant: find a compliant service provider.

4. If your a service provider: code well, make a noise about it. Make your solutions easy to assess for compliance. Keep in touch with your acquiring bank.

5. You need to evolve your security to address risks. You are allowed to exceed PCI standards.

6. New VISA best practices: you don't need to store the PAN any more, rely on your service provider to do it.

7. Do it properly, or don't use credit cards. Support your developers and give them training.

8. Storage of card data: Challenge it - why does the business need it? Get rid of old cards if you don't need them.

9. Checkbox security - don't just check the boxes. Exceed them.

10. OWASP top 10 - adopted by PCI DSS.

Two most useful links:

Parting thoughts:

- Use OWASP as a tool

- Don't confuse compliance and standards with security

- Chop up your credit cards!


Why did you give up being a QSA?

It was really stressful

When collecting info and passing it on to a payment gateway, do you require an audit?

Different QSAs treat it differently. He believes the webserver is in scope if it's taking the card data. New version of standard coming out in October that may address in-memory stuff.

Why stop using credit cards? At least you get protection, unlike if you use debit cards?

Dean uses a low-value debit card.

How does PCI deal with it if you're using third-party libraries?

Payment application DSS will kick in if you're using it to resell.

posted on Thursday, July 15, 2010 4:47:41 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
hosting.jpgHosting and Web Apps
The Obscurity of Security

Quintin from SiteHost and Mike from Web Drive cover horror stories they've uncovered in website code when they've been rung up to fix something.

Security used to be the domain of systems admins and hosters, but developers have added more fancy features.

Website owners and developer blame their hosters when their sites are defaced.

What if security isn't part of the spec?

Make it part of the spec.

(Shift jobs if management won't let you make it part of the spec.)

Security starts early: Planning and design phase

- Research, talk to security people
- Get your team some security experience
- Reduce the attack surface
- Keep it simple: Don't build a CMS for a 5 page site
- Don't have an admin area, or use defense in depth to protect it

Not all apps are equal:

- Sometimes buying is better than building
- Everything has security holes
- Pick something good
 - How does vendor approach security?
 - Check the apps security history:
   - If there are no holes, beware. If there are silly problems, beware.


- Read the OWASP top 10
- Read the OWASP books
- Read the install documentation and follow the "After installation" docs.
- e.g. Think about what you do when you unserialise stuff; don't trust untrusted user data


- Attack surface reduction
- Validate all your input
- Use source control, and know how it works.
- Watch out for rolling .svn, .git, .cvs directories: might show directory lists, source code, usernames
- svn checkout is an invalid installation method
- Look at all the files that are there! Especially free / open source apps you download

Data management:

- If you don't need it, don't store it
- If you need to keep it, how do you need to access it?
- Hash (with a salt), don't encrypt
- Keep production and development seperate
- Keep tabs on your data - size, growth rates, is data used by the code? Get rid of it.

Password strategy:

- Don't reuse credentials
- Weak usernames and passwords for db - common to see dbname = username = password
- Watch out for old staff members and old passwords

Filesystem security:

- Watch out for apps that use /tmp and friends, or require special directory permissions
- Learn how to chmod correctly. x is good enough for directory traversal.
- Watch out for log files in web root
- Beware test files eg phpinfo
- Don't leave old crap on your filesystem: Session files, template caches, zip files


- Automate as much as possible
- Don't blindly follow installation instructions
  - Read them when you select the software, and understand what it's doing
- Don't use hosting control panels if you don't need them - they have high level access to the underlying system, and greatly increase your attack surface
- Use SSL for the content not just for the login pages
- Keep your websites separate - different trust level = different credentials


- Keep your own backups - don't trust the providers ones. They protect from a catastrophic failure, and you could lose 12-24 hours of data
- Test them before you need to use them


- Don't ever use remote includes - including some third party code in your app!
- Minimise remote resource usage:
  - How does your site react if the remote resource is gone?
  - Take your own copy of AJAX libraries
- Do you need third party analytics for everything?
- Outsourcing data storage: What data are you uploading? Where is it hosted? Is it safe? Who has access to it? How are backups stored, and how long are they retained?

Software lifecycle management:

- Have a process for decommissioning, make sure you delete data and files that aren't used
- Make sure software is up to date
- Who monitors upstream releases? How quickly do you make patches? Who makes the call?


- Monitor changes to your website content and uptime
- Check external access. Has your whitelist stopped working?
- DNS: Remember that DNS is an external dependancy. Has your domain been hijacked?


- Make security a part of job description - managers and developers need to make security a priority and make it part of KPIs
- Get buy-in from non-technical staff

Talk to your hosting providers:

Talk to their security guys well in advance. Make sure your specific requirements are getting through to the technician who is doing the work (don't trust the salesperson).

Remember: It's your job to make sure it's working


Including KPIs is a good thing, but you need to give developers the time to learn.

posted on Thursday, July 15, 2010 4:24:29 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

Thanks to everyone who came along to our talk at OWASP NZ Day 2010 today.

Also, a big thanks to the Wellington .NET user group crowd that came last night to listen to our practice run -- you'll be pleased to know that we dropped the discussion of hash extension attacks :)

Here are the slides for your downloading pleasure: tales-of-the-crypto.ppt (3.79 MB)
posted on Thursday, July 15, 2010 3:25:18 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
Adam is one of the organisers of Kiwicon, and has presented on this topic in Singapore.

Using tools to capture / probe network traffic.

If you compare to app/data recon tools like Maltego, network recon tools aren't as start of the art.

But... if you own the networks under this new fangled cloud stuff, then you own the whole environment.

It's hard to map out, search and investigate >= Class A

At the moment, only big countries can do that sort of investigation. Apparently countries are gearing up for 'Cyber Wars'.

But, individuals and corporates can get involved in the same activities of cyber-war or cyber-terrorism.

Scanning, pinging and trying exploits doesn't scale well - you have to do a lot of work and get lots of false hits.

You might get owned randomly - it's cheap to own more targets, and then figure out what to do with it later.


It's hard to target large numbers of IP addresses. The current tools can't scale to those kinds of numbers (and the pay services will get really expensive).

So he built a geo-targeted network recon data acquisition system with a web interface, and scanned all of NZ and Singapore for conferences.

An interface to search over data.

"This is a highly secure router, stay away" - the open telnet port tells us so.

Cool things it does:
  • Searches over certificates
  • Screen captures remote desktop screens
  • Good for targeting: finding particular applications / devices / protocols
  • Good at finding other assets owned by a company outside of their own netblock
  • Helps us understand how many vulnerable things are sitting out there
The internals of the tool:

Version 1 was just to see how plausible it was to scan large chunks of the internet. Used lots of glued together tools like nmap etc.

Version 2 is now a simple python script that has been optimised for acquiring the data by scanning a whole country block over certain ports.

A few billion rows of data - use MongoDB to store data. Erlang, RabbitMQ, Python, Celery MQ, Python / Django frontend, GridFS distributed filestore.

Target selection:

How do you define what a country is? Is it domain names ending in .nz? Netblocks announced at peering exchanges? Address registry allocations? GeoIP?

He chose GeoIP as it simplified things - but misses out on .nz stuff hosted overseas.

Acquiring data:

Custom-tuned protocols to limit rates, fire up application to capture details for different protocols.

About 1.4B rows per complete scan of NZ and Singapore.

Need to optimise for search / retrieval as that's the primary use once the data is acquired.

Data mining:

Look for old boxes, boxes with self-signed certs, certain switches, domains etc.

Singapore: 377k boxes that talk HTTP - more than the number of live systems. 14k cisco boxes. 12k open RDP (one with background of Commonwealth Bank of Australia :))

IDS Avoidance:

He's not actually carrying out any intrusions. Only collecting banners, and complying with what they say.

IDSs don't necessarily detect them - only 7 complaints to ISP in NZ, and one funny one in Singapore.

People are watching - DNS PTR backscatter gives an idea of people watching and resolving domain names for IP address.

Portscans aren't very interesting these days. People notice, but don't do anything.

But not good for:

If you notice mis-configured systems, it's hard to do anything about it.

Giving it as public / bad guy access would be difficult and cause problems.

What about Shodan?

Scan whole world for 4 ports (21, 22, 23, 80), but not as many hosts or depth of coverage in NZ.

Sells commercial access to exported data.

What does it mean?

A search engine over this data makes it very powerful.

It's not that hard to do this sort of thing. It's probably already being done by military or crime industries. Cheap compared to a drug submarine :)


What did the abuse mails say?

One from a Uni, two or three from an ISP and they noticed scanning of the SIP voice customers. A few of ZoneAlarm type people noticing.

Scanning boxes: Where were they hosted? Bandwidth out?

Domestically peered, gigabit to APE. It's not really bandwidth constrained, it's constrained by politeness. Turned off state tracking for outbound connections. Could probably do the whole country in 2 hours if you cranked it up, but would cause problems for people.

posted on Thursday, July 15, 2010 1:48:11 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
paul.jpgPaul Craig works at as a forensic investigator.

Forensic investigation: Fact-based investigation - must be reproducible and not based on anything subjective.

If you're going to get hacked, it will start at your web app. Firewalls generally stop all other traffic.

Treat all results as possible legal evidence - could be used for murder etc cases. Evidence could be used to allow police to arrest a suspect.

Most computer crimes in NZ will be tried under property law with a judge and jury.

All evidence may need to be provided to defendant to cast doubt on the evidence. How was it collected or analysed?

Common things customers say:

- Assumptions
- They only compromised one server - assume it has happened more than once
- We already dealt with it - probably destroyed all forensic evidence (could come back to bite in the future)
- It's too hard / not my problem

What to do when there's an incident:

How you act makes all the difference. Smooth engagements and do things as fast as possible.

Need a single point of contact for all security incidents within an organisation.

Appoint an incident response team - includng someone with internal clout, legal support.

Find a forensics supplier in advance. Don't leave it till when there's an incident.

It's a specialised industry, and you shouldn't do it yourself.


Media love a hacking story. This makes things stressful.

You need a bottom draw letter pre-written that you can give to the media. Get it signed by the CEO now.

Technical incident response:

Treat with urgency, gather incident team together in a secure location.

Get incident responder into the system as soon as possible to get current connections, arp caches etc.

- Disable scheduled patches, updates, restarts
- Unplug from internet / firewall it
- Leave the server powered on
- Put a big sign "Do not touch"

Within a day or less if possible.

Police reports:

If you have evidence that a crime has been committed, or something could be committed (e.g. fraud), file an incident report with police. As much evidence as possible.

Will you catch them?

If NZ / AU - likely.

If UN / NATO, possible but involved IPTF task force.

Other country: very slim chance of catching them.

When don't you have to file a report:

No loss of finances, no increase in fraud risk, no chance of repurcussions / fines.

How to do forensics:

Paul then talked about how do forensics testing. Take-away: it's hard, and in order to provide evidence in court you won't actually be able to do it yourself.


Paul gave examples of when they'd be engaged with customers. Problems encountered:

- They knew they had been hacked, but hadn't told each other
- Meeting in insecure places
- Taking too long to figure out what to do
- Companies that don't know how to respond
- Assuming evidence has been destroyed already

Without senior executive support, nothing will happen. Forensic and technical response isn't a technical problem: it is an entire business problem.


Sooner or later, you'll get hacked. When it happens, take it seriously.

Prepare for that incident straight away. Figure out what you'd do?

Stay cool when it happens, follow the game plan.

Never assume anything!


How do you deal with situations where the hacked website needs to be back up in 10 minutes? So you don't have time to do forensics?

- Bring up a DR server if you have a safe backup.
- If it's compromised, you have to take it off immediately if someone is on that server at that time

How do you deal with virtualisation? When you don't have physical access to a machine?

- Can get all active memory and disk onto a disk
- Can take the entire VM snapshot and rebuild into a real computer again

What about if it's a cloud provider?

- Probably have no access to get an image. Comes down to whether we can get that access.

Does a live image impact the integrity of the evidence?

- Hash the evidence as soon as it is taken, so we can prove the image is unaltered.

If hacker uses anonymity services like tor / proxies?

- Often there's one request where they connect back directly.
- Often there's still some fragments of evidence remaining.
- Might be able to find out what they did, but not necessarily who did it.
  - "Your credit cards have not been touched"

posted on Thursday, July 15, 2010 12:00:10 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
roberto.jpgRoberto's talk covered application-level vulnerabilities, and gave some ideas on how to plan for them, how to react when they happen, and how to recover from them.

Most denial of service attacks have traditionally covered the layer 3 or 4 (i.e. the transport or network stack), but Roberto has seen attacks against applications and web service layers.

Can lead to increased use of resources like CPU, network

Root causes:

- bug
- application logic open to abuse
- session level attacks


PHP: Can create an unbounded size object in code

Failure to release resource: DB exception doesn't close connection. Attacker can cause app to open up lots of DB connections and deny service.

Sesion related: storing lots of session objects that consume resources, so attacker can target this to exhaust server resources.

User input as a loop counter: If the user can control how many times an expensive operation is performed, it can cause the app to do lots of demanding work.

=> Put in some limits, don't allow the user to set in their code.

Regular expressions: Certain input may cause lots of passes through a regular expression, causing lots of CPU to be used.

Other web problems can amplify DOS effects (XSS, XSRF, SQL injection, large file input)


- Input strict validation and filtering
- Handle exceptions and properly release resources
- Set limits for:
  - Session related objects
  - Token expiration
  - Object allocation
  - Loop counters
  - User registration - captcha
  - Concurrent session tokens per IP address

- Testing your web app
  - Test Regex, database queries
  - DoS and stress testing
  - Security testing

XML attacks:

There are lots of attacks against XML or web services.

Recommendations: don't use customised XML parser, input validation, use an XML firewall, limit the sizes of input messages, disable external DTDs.

Webserver attacks:

Attacks to use up all the threads on a webserver, or slow down the processing so the server can't process other requests.

Recommendations: Apache and IS have modules or configuration settings. Make sure you test the changes.

Database attacks:

Make the DB do more work than they should. E.g. cause a slow scan over a whole table, or avoid caching layers.

Recommendations: Input validation, captcha or user limits, only let authenticated users perform slow queries, use caching layers.

If you are under attack:

Be prepared, have a plan, simulate it often.

When under attack:

Is it real? What is the target? Is the target critical?


Several methods: slow down the attack, deflect it, drop connections, escalate to authorities or other nefarious ways to stop botnets.


Meet up to debrief as soon as possible afterwards. What lessons were learnt? Update incident plan.

What was the root cause? What if it happens again? Provide all data to law enforcement.


No generic solution to DOS.

If offered a DOS solution product, look carefully before committing.

Start networking with people that can help you.

posted on Thursday, July 15, 2010 11:37:58 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
brett.jpgBrett presented a talk on some of the "Not so common code vulnerabilities".

The theme of his talk was that we shouldn't trust user input.

My notes:

A security vulnerability in an app - a weakness that allows a user to perform an action that was unintended.

AppTrends graph ( - input validation is the cause of everything (XSS, SQL injection, etc)

Frameworks won't protect you (e.g. .NET, PHP, Java frameworks).

Frameworks can promote bad practices, or have bugs in them themselves.

- Spring Framework - override class loaded
- Struts2 - execute arbitrary java code

Examples of problems:

Trusting filenames / urls from the user

Using 302 Redirects as a security measure - returning secure

content below the redirect by mistake

Captchas: Tell whether it's a human or computer. Bad implementations where people have rolled their own and make it easy for computer to answer

Online shopping: Response from DPS comes in a browser redirect, so you can intercept it, and add extra stuff to the shopping cart after paying, but before the website thinks the order is finished.

Flash: Parameters for a flash movie can be entered in the url as well. Movie hosted on our site can end up displaying images or other content from our attack website.

Forgotten password: Stored proc truncates email address to 100 characters when looking up the user, but application uses the whole string. This can lead to an attacker receiving the forgotten password email.

Java object serialisation: Object is serialised into a cookie using Base64 encoding. Ooops: It contains something sensitive like a password.

PHP app in a security appliance used by a .mil: Shell out to a system command using a url parameter passed via an unauthenticated user.

Cookies: storing security data in a cookie - example of LoginAttempts - an attacker can modify the cookie to their hearts content.

Cookie: remember me functionality - store random token in the database and send it to the user as a cookie, so they can log in automatically. Vulnerability: flawed if null was stored in both the db and the cookie.


Never trust the users input

Input validation is the key.

You can use hidden form fields or cookies, as long as the backend input validation is secure. You can't trust that the frontend is doing things correctly.

Backend should:
- Validate the data
- Ensure the user is authorised to access the data

Data comes in many forms (upper / lower case, encoded etc)

- Decode the data, or reject it if a normal user wouldn't send it

Ensure data conforms to the correct format
- Check length, type, min / max values
- Alphanumeric / valid date only

Reject invalid data, rather than attempting to fix it up.

Beware writing your own data sanitisation functions - needs to be well tested and document. Use OWASP or language features if possible.

- Easy to write bad sanitisation. Examples of bad url testing,

XSS works without script


- Review your code. Have "Code Review Parties"
- Have peer reviews
- Have standards, and stick to them

Questions to Brett:

Should we still trust CAPTCHA?

Still effective at the moment, but can be broken.

posted on Thursday, July 15, 2010 9:59:45 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
I had fun attending OWASP NZ Day 2010.

There were 6 great sessions - plus Graeme and I presented a talk on encryption, and how to develop applications using encryption:

Brett Moore: Don't try this at home
Roberto Suggi Liverani - Defending Against Application Level DoS Attacks
Paul Craig: What to do when you get pwned?
Metlstorm: Low Scuttling Chillicrab
Graeme Neilson / Kirk Jackson: Tales from the Crypt0
Quintin Russ / Mike Jager - Hosting and Security
Dean Carter: Ramblings of an ex-QSA

I came away with that feeling of satisfaction where you know you've learnt lots, but haven't had time to digest and process it all yet. Some of my immediate takeaways are:

  • Input validation is still a big area of problems in most apps
  • Application bugs and inefficiencies can be vectors for denial of service attacks
  • If you get pwned, hacked or DOS'd, you need to have a plan of what you're going to do to recover, and if there's a chance that you need law enforcement involved, you need to get a forensic analyst involved very early on (preferably in advance)
  • There are lots of computers on the internet in NZ, and lots of them have obvious vulnerabilities. No-one is doing anything about this (at least, no-one good is doing anything about this!)
  • Bad development practices lead to problems in the hosting environment. App and deployment security problems live on
  • Credit cards are the devil, and should be treated as such :)
Thanks Roberto and Lech for organising, I'm looking forward to next year!


posted on Thursday, July 15, 2010 9:54:01 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, February 04, 2010

I'm helping organise the first Ignite Wellington on Tuesday 2 March.

We've got a bunch of great speakers lined up, and space for some more. Sign up now!

posted on Thursday, February 04, 2010 9:48:19 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, January 20, 2010

Edit: Sorry, this event has been cancelled due to personal reasons. Sorry for getting your hopes up!

Michael Howard, author of Writing Secure Code is in Wellington to present a free workshop on Wednesday 27 January:

"Everything Developers Need to Know About Security... and more!"

Over the last few years, Michael has heard every plausible and implausible excuse for not paying attention to security. Come to this lighthearted, but deadly serious talk and learn some of the tricks of the trade to help you learn more about security, some of the critical skills you should know, and how to get others to pay attention to security too.

Following pizza, in the second part of this presentation Michael will cover some of the tools and processes that you can use to help make developing .NET or ASP.NET applications more secure, such as FxCop, Threat Modelling, the Web protection library and the VSTS SDL template.

Michael has been a big part of the Security Development Lifecycle at Microsoft, and the lifecycle and principles are used by many companies around the world - not just those in the Microsoft development space.

The workshop should be fun - Michael presented a similar talk at TechEd 2009, which was very well received.

What: Everything Developers Need to Know About Security. and more!
Who: Michael Howard, Microsoft
When: Wed 27 Jan, 5-8pm
Where: TBA (Wellington CBD)
How: RSVP to ASAP - places are limited!
Cost: Free! Pizza and drinks will be provided mid-way through

More information about Michael:

Michael Howard, Principal Security Program Manager, Microsoft's Security Engineering Team, Microsoft

Michael Howard is a principal security program manager on the Trustworthy Computing (TwC) Group's Security Engineering team at Microsoft, where he is responsible for managing secure design, programming, and testing techniques across the company.

Howard is an architect of the Security Development Lifecycle (SDL), a process for improving the security of Microsoft's software.

Howard began his career with Microsoft in 1992 at the company's New Zealand office, working for the first two years with Windows and compilers on the Product Support Services team, and then with Microsoft Consulting Services, where he provided security infrastructure support to customers and assisted in the design of custom solutions and development of software.

In 1997, Howard moved to the United States to work for the Windows division on Internet Information Services, Microsoft's next-generation web server, before moving to his current role in 2000.

Howard is an editor of IEEE Security & Privacy, a frequent speaker at security-related conferences and he regularly publishes articles on secure coding and design. Howard is the co-author of seven security books, including the award-winning Writing Secure Code, The Security Development Lifecycle, Writing Secure Code for Windows Vista and his most recent release, 24 Deadly Sins of Software Security.

Edit: Sorry, this event has been cancelled due to personal reasons. Sorry for getting your hopes up!

posted on Wednesday, January 20, 2010 10:10:07 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, December 23, 2009

[I just sent this email out to all user group attendees]


Merry Christmas!


Because the year is winding up, I wanted to send you an email to thank you for being part of our great .NET user group community in Wellington this year.


The highlight this year has been the branching out of the .NET User Group: Sky Sigal has started the Silverlight user group and Mark Carroll the VSTS user group.


Another great thing we've done this year is increase the number of meetings. It has been 7 years since the first meeting in Nov 2002. In 2003 we met every two months, in 2004 we switched to monthly and this year we've switched to fortnightly (weekly, if you attend Silverlight meetings as well!)



Across the three user groups we had 31 meetings, which is pretty amazing for a 52 week year.


Looking at the stats for the Wellington .NET User Group on it's own: we had 21 meetings with 650 attendees. I went through the list and there were over 250 different people!


It has been so great to welcome new faces to our community, and to see familiar faces offer to present some of their ideas and wisdom for the benefit of others.


We ran a Code Camp again this year at Whitireia in Porirua, which went really well. I was also involved in our biggest Code Camp yet which was in Auckland before TechEd and had over 300 people attend.



I'd like to give an extra big "THANKS" to the speakers who worked so hard to put together sessions this year:

Alex Dean, Amir Shevat, Andrew Tokeley, Andy Prow, Bevan Arps, Bohdan Szymanik, Chakkaradeep Chandran, Chris Klug, Daniel McGaughran, Ivan Towlson, James Hippolite, Kevin Daly, Mike Zeff, Owen Evans, Richard Dingwall, Scott McKenzie, Sky Sigal and Tim Heuer.


Their willingness to share their experiences, put together talks and field the difficult questions really helped us all in our quest for knowledge. Also, thanks to them, I only needed to inflict myself on you as a speaker four times this year :)


I'd like to thank my employer Xero for hosting so many meetings, as well as Intergen and Provoke for hosting us in our times of need. I'd also like to thank Vicky for organising our drinks --- we appreciate it!


The prizes:

I bet you weren't expecting prizes. Aren't you glad you read this far down the email?

The inaugral winner of the "Geek of the year" goes to Bevan Arps. He was the person who attended the most user group meetings, and he presented the most sessions too. Bevan wins a Microsoft LifeCam VX-5000 valued at $100.


Please remember Bevan: when your computer is watching you, the whole world can see what you're wearing :)


To draw the winner of the "Lucky Geek" prize, I gave one entry for each meeting you attended, and used Simon Green's famous RandomDraw program to pick a winner.


The winner of the "Lucky Geek" award is Ram Petikam. Ram wins a copy of Rise of Nations / Rise of Legends, which I'm sure his teenage son will enjoy.


Your Challenge:

A lot of geeky stuff is going on in the Microsoft world. Spend a few hours this holiday season trying out something new (maybe even win an MSDN subscription ). Tell us what you did in our first meeting of the year, and you may win a prize!


Final thanks:

And the final, biggest THANKS to Microsoft! We appreciated every slice of the almost 400 pizzas we ate this year!


Have a great holiday season, a Merry Christmas and a happy new year. I look forward to seeing you at meetings in the new year.





For your edification, here are the 31 meetings we had this year. How many did you come along to?


VSTS - 2 meetings:


02/99/2009    Introduction to Visual Studio Team System 2010
18/11/2009    Team System, two years down the track

Silverlight - 8 meetings:

01/07/2009    Building Accessible Silverlight Applications
29/07/2009    The Gestalt Project
09/09/2009    All about using Unity CAL, and Prism in Silverlight
30/09/2009    Creating stuff in WPF and Silverlight 3
14/10/2009    Bindings
28/10/2009    RIA Services
11/11/2009    Silverlight Animation
09/12/2009    Styling a WPF/Silverlight application

DNUG - 21 meetings:

21/01/2009    C# 4 and .NET Framework 4.0
04/02/2009    Windows Azure
18/02/2009    LINQ Refresher, Anti-XSS and SDE Libraries
04/03/2009    Recipes for Scalability
18/03/2009    Silverlight 2
15/04/2009    SQL Data Services
22/04/2009    Silverlight 3 and .NET RIA Services
29/04/2009    Teaching the good-guys bad-tricks
06/05/2009    Best practice - Caching
20/05/2009    Best practice - Towards Maintainability
27/05/2009    Using the AJAX Controls Toolbox in SharePoint
03/06/2009    Dependency injection using Ninject
17/06/2009    ASP.NET MVC - a deeper dive
15/07/2009    How To: Design and Develop an Application to Ensure Its Quality
05/08/2009    Towards Supportability
19/08/2009    Windows Mobile 6.5 Widgets
23/09/2009    Domain Driven Design 101
07/10/2009    .NET on the iPhone using MonoTouch
21/10/2009    Behaviour Driven Development
04/11/2009    Unit Testing 101
04/12/2009    PDC Announcements, Azure, Silverlight 4, Sharepoint 2010

posted on Wednesday, December 23, 2009 10:20:43 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Friday, October 09, 2009

To prevent cross-site scripting, it's important to encode data before outputting it.

Up until now, it has been quite hard to ensure you're encoding everywhere throughout your app.

It's great to see the new syntax in ASP.NET 4 to automatically encode:

First Name: <%: Model.FirstName %>
Last Name: <%: Model.FirstName %>

<form method="post">
  <%: Html.TextBox("FirstName") %>
  <%: Html.TextBox("LastName") %>

(From Phil Haack's blog)

This means that for all new web applications, you can build using <%: %> instead of <%= %>, which is great for ASP.NET MVC applications where that syntax is common.

For older applications you will be able to opt in to the new encoding syntax, but your old code will keep working exactly as it already does (perhaps insecurely, if you're not encoding!)

Here's hoping that we'll be able to replace the standard HtmlEncode with the AntiXSS goodness I described here:


posted on Friday, October 09, 2009 9:00:18 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Friday, October 02, 2009

Daniel presented this talk at the Wellington Silverlight user group last Wednesday.

I enjoyed this talk. Daniel went back to basics and showed how to get up and running with Silverlight and WPF development, covered the various layouts you can use in XAML, and went through some of the fundamentals of how XAML and code interact.

I think the part I most appreciated was the content that Daniel left out of his talk. He was very well prepared, and had intentionally kept things simple, which is hard to do when you have deep technical knowledge and enjoy sharing it - I struggle with keeping my talks focussed without diverting on a tangent.

Well done Daniel, I'm looking forward to your next talk!


posted on Friday, October 02, 2009 7:56:23 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]

I attended Richard's Domain Driven Design introduction at the Wellington .NET user group back on the September 23.

Richard introduced Domain Driven Design and the motivations behind using it, covered the 'building blocks' and then gave some examples of how to put it in practice.

Richard has blogged the details of his talk here: Slides from my Domain Driven Design 101 Talk

I enjoyed Richard's slide deck, and his presentation style - simple slides so that my focus was on what he was saying. The parts of his talk that I took the most out of were the encapsulation of business logic into Specifications (different from the testing concept), and the explicit anti-corruption layer when interfacing with any external system.

Thanks Richard!


posted on Friday, October 02, 2009 7:51:47 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]
 Saturday, September 26, 2009

We got some great feedback from attendees at this year's Code Camp in Auckland. I thought I'd share some stats from the survey sent to attendees.

We counted 300 people there at one time, so we estimate somewhere between 300 and 350 people came along for sessions during the day. Note that approximately half of the attendees responded to the survey that these figures were drawn from.

We had three streams: Development, SQL and Security.

Attendance was roughly:

  • Development: 68%
  • SQL: 19%
  • Security 13%

Although, people could switch between streams as they wished.

Did you also go to TechEd?

  • Yes: 30%
  • No: 70%

How did you find out about Code Camp?

Session feedback:

  • 94% of session feedback was in the range 'satisfied' to 'very satisfied'
  • 40% of feedback was 'very satisfied'


  • 85% from Auckland
  • 4% each from Wellington and Bay of Plenty
  • 3% each from Waikato and Canterbury

User groups:

The presenter with the most feedback on his sessions was the AWESOME Ivan Towlson.

We got lots of great general comments, here are a few:

Great work guys! Thoroughly enjoyed.

Really enjoyed the day - thanks guys!

Thanks for the opportunity for those of us who could not attend TechEd

I am a sole operator / consultant with very limited budget, so "free" events are really appreciated.  I am very happy to dedicate my time to attendance at events that are run as well as this was.  Thanks again.

We appreciate international visitors giving up their mornings to our benefit

I really enjoyed every session and thought that each one had a valuable piece of information to take away - well done!

Thanks everyone for your feedback (good and bad constructive), we'll use it all to help make the next community Code Camp even better!


To find out about future Code Camps, and user group events in your area, please visit the website and sign up to a mailing list.



posted on Saturday, September 26, 2009 1:26:03 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Thursday, September 03, 2009


I'm happy to be presenting two sessions at TechEd this year. It would be great to see you there!

DEV304 Visual Studio Team System 2010: Odyssey Two

Presenter: Kirk Jackson

Tue 9/15 | 17:10-18:25 | Ballroom 1


Visual Studio 2008 is the best and most productive development environment ever! Microsoft have been busy the past couple of years putting even more great features into your favourite tool, and in Visual Studio 2010 we'll be seeing: new programming languages; diagramming tools and visualisers; new project types; and enhancements to the IDE. Come along and hear about these great features, and learn some new tips to help you make the most of Visual Studio 2010!

SEC313 Hack-Ed: Teaching the Good Guys Bad Tricks

Presenters: Kirk Jackson, Andy Prow

Wed 9/16 | 12:10-13:25 | New Zealand Room 2


You can't fight a war that you don't know you're waging. You can't defend your website against attack unless you know the tricks that the bad guys will use.


Join the "Flight of the Pwnchords*" and learn the tricks that Andy "the hacker" will use and watch as Kirk "the developer" tries to defend his ASP.NET website against them. By the end of this session you will have an understanding of some of the common attacks, such as Cross-Site Scripting (XSS), Cross-Domain Request Forgery (CDRF), and will have an appreciation of how layering your defenses (defense-in-depth) can help protect you from exploit chaining.


The session will also give you some practical tips that you can apply straight away in Visual Studio 2008 to help you build secure websites.


(* AKA "New Zealand's fourth most popular comedy hacking duo")





posted on Thursday, September 03, 2009 9:26:09 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [2]
 Tuesday, September 01, 2009

Visual Studio 2010 will have better support for a multi-monitor setup, but it's possible to get part of the way in 2008 already.

Toolbars and property windows (e.g. Solution Explorer, Class View) can be dragged into separate windows (2010 will add the ability to drag documents into separate windows too):

Floating windows

Window positioning gets a bit weird when you switch from one monitor to another, or change resolutions - a common occurrence when you're a laptop user docking and un-docking.

You can create two settings files, one for your single monitor layout, and one for your multi-monitor layout, and use them when starting Visual Studio 2008:

  1. Arrange your windows the way you like them
  2. Go to Tools > Import and Export Settings > Export selected environment settings
  3. You get a great tree-view of every possible setting category in Visual Studio. Click the top node to deselect everything, and scroll down and select only General Settings > Window Layouts:
  4. Save your settings file somewhere handy (e.g. d:\multimon.vssettings)
  5. Repeat for each layout you like

Now you have two or more settings files, you just need to create a shortcut icon for each one somewhere in your start menu.

Edit the target, and add the parameter /resetsettings D:\multimon.vssettings to the end (replace the path with each settings file path).


Now when you launch your new shortcut, it will start Visual Studio 2008 with the correct window layout. Because you only exported and imported the Window Layouts, all the other settings stay the same.

You may also want to make these changes to your shortcut:

  • Add the /nosplash parameter to your Target, to avoid the "Visual Studio" splash screen and make it slightly faster to start (perception is everything!)
  • Check the Run as administrator option, which is useful if you often need to restart Visual Studio to connect to the ASP.NET worker process when developing under IIS.




Previous VS2008 Tips:

posted on Tuesday, September 01, 2009 9:55:57 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Sunday, August 30, 2009

Code Camp is less than two weeks away!

If you want to catch some free sessions on the state-of-the-art in .NET development, SQL Server and developer security then sign up for Code Camp Auckland 2009 now.

Code Camps are non-profit, and organised by members of the local developer community. This year the Auckland Code Camp is the day before TechEd (Sunday 13 September), so we've managed to nab a few great speakers on their day off to present to us.

It's the biggest Code Camp ever - over 14 hours of sessions across 3 streams from 10am till 5pm:


  • What's Happening in .NET Languages and Why Should You Care?
  • .NET on the iPhone and Beyond
  • Behaviour Driven Development
  • Domain Specific Languages
  • C# 4.0 new features
  • Silverlight with Prism
  • Becoming Certified
  • Lightning Talks
  • and more!

The latest and greatest in development topics, by the people that know!

SQL Server?

  • SQL Server Virtualisation Best Practices and Recommendations
  • SQL Server Analysis Services and Gemini
  • Query Optimization and Query Tuning
  • Understanding SQL Server Indexing
  • SQL Server Maintenance

Training and guidance from the best SQL trainers in the industry!


  • Secure Development Lifecycle and Threat Modelling workshop
  • Secure Coding Practices

We are lucky to have Michael Howard, author of Writing Secure Code and 24 Deadly Sins of Software Security giving a free workshop for developers, architects and team leads on Threat Modelling and the Secure Development Lifecycle. This will be followed by a session on how to write secure .NET code.

Auckland has never seen such an awesome free event!

Presenters that are offering their time include Greg Low, Nicholas Dritsas and Auckland's Alex Henderson of Architecture Chat fame.

To cover the costs of the event, we have the help of our generous sponsors: Microsoft, Datacom, Intergen, INETA and Xero.

All that's left for you to do is to visit the website for more details, and sign up now!

See you there on Sunday 13 September,


posted on Sunday, August 30, 2009 11:17:02 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, August 19, 2009

Today at the Wellington .NET User Group, Kevin presented a talk on "Windows Mobile 6.5 Widgets".

Kevin has kindly provided his slides and samples for download:

I found this interesting. I haven't developed any applications for Windows Mobile, though I have played around a bit with the emulator and deploying code from within Visual Studio.

Widgets seem like a lot simpler application development model than native or compact framework applications. The application development model is similar to Vista sidebar gadgets, as there is a packaged zip file containing the application inside - and the application is 'simply' Javascript and HTML. Widgets can use XHR or DOM manipulation, and have access to a small amount of local storage to store preference information.

Windows Mobile 6.5 treats widgets as first-class application citizens within the OS - they have icons on the revamped start screen, and appear in the uninstall screen. As far as the user knows, they are the same as a native application.

Where the process is currently let down is in deployment and debugging. Currently a widget can only be deployed through the Windows Mobile marketplace, after the developer has signed up and the application has been reviewed (I think!). Debugging from Visual Studio seems non-existent, meaning that development is through trial and error.

I could see an enterprising person (like Kevin) building a Javascript library that simulated the API provided by the widget infrastructure, so that widgets could be developed and tested on a desktop before being deployed on a device. Kevin, am I right that all that is needed is the Widget object and some fake ActiveX controls?

All up, an interesting session.



posted on Wednesday, August 19, 2009 10:51:20 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [3]

Today I went to Nelson for lunch, and presented on Caching to the Nelson .NET User Group.

The talk was a repeat of my Wellington and Auckland talk from a few months ago, and covered various places you typically cache data in a .NET app, motivating the discussion of memcached and Velocity.

It was nice to get down to Nelson to briefly soak up the sun and meet a few new people.

View my previous post on Caching for further info.

Thanks for having me Daniel!


posted on Wednesday, August 19, 2009 10:32:39 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]

So this was a few weeks ago, but I thought I would post some notes here anyway.

Bevan gave a talk at the Wellington .NET User Group titled "Towards Supportability" (view his slides and notes).

Apart from marvelling at his good looking slides, the main thing I took away from his talk was the points he made on documentation. Bevan gave an approach for document systems for the person fighting the fire when all hell breaks loose. When a system is broken, and people are all over the poor systems administrator to fix it, they don't need thick architecture documents, they need something quick and actionable.

The 'Supportability' document structure:

  • Architecture - a summary of physical deployment
  • Symptoms - a list of failure modes that users might encounter
  • Actions - possible remedies
  • Procedures - step by step instructions for common procedures
  • Reference - additional reference material

The most important parts are the symptoms and actions - how to diagnose what's wrong and how to recover from it.

Cheers Bevan!


posted on Wednesday, August 19, 2009 10:24:05 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Tuesday, August 18, 2009

There's a lot of technology groups in Wellington. I decided to get together a list of all of them so that we could see if we clash on our regular meeting days. Please let me know if your group is missing, or the details need updating.

Most of these groups run free events with the support of their sponsors!

Form more info about geek events in Wellington, head over to or

Microsoft technology focussed:

Other technologies:

Technology 'agnostic':

Happy Geeking!


posted on Tuesday, August 18, 2009 2:26:03 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [2]
 Friday, August 14, 2009

Craig, Owen and I (all from Xero) went along to the Wellington Summer of Code session last night to demo Visual Studio, the .NET runtime and ASP.NET MVC to 30-ish eager and willing University Students.

It was an interesting time. Allfields hosted us in a couple of their training rooms, which was pretty cool as the students got to follow along using their own copies of Visual Web Developer. The Allfields facility is pretty good - each room had about 20 PCs for students to use, and the guys there set up a video link between the two rooms.

Students: If you're got .NET questions, be sure to sign up to the mailing lists.

I'm looking forward to meeting with the students again as the programme continues, and hopefully work with one of them at Xero!


posted on Friday, August 14, 2009 10:02:20 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]