Secuity – locked down with concrete – or paper ??

Last night, I attended the Microsoft Security Summit – with a few other SDM’ers. This turned out to be more like a BIG “user group” session – lots of prezzo’s – a few that felt fairly rushed – and good opportunity to ask questions.

As the name suggests, it was mainly about “Security” – both the need for network security – as well as within applications (ie. for dev’s – that includes me !)

While not a major code-session – or horizon/hype (didn’t even see VS.NET or anything Vista oriented) – I took away more than I’d first anticipated – and a few horror stories to highlight vulnerabilities.

Lots for IT Pro’s to devour – including “M.O.M.” – Microsoft Operations Manager – for secure Active Directory, and management of servers.

Biggest “highlight” was a coverage of application vulnerabilities – SQL Injection attacks – truly terrifying ! One of the prezzo’s was to show how a web-site could be compromised – using SQL statements within a “search” field – to retrieve users, products, and so on. Truly terrifying.

And another URL hijack was shown – to display the web.config file. A few “gasps” within the audience – probably from having the DB Connect String in the config file – assuming it was safe !!

One of the highlights was Steve Riley – a self-proclaimed loud yank – with some no-so-silly ideals about security. Including locking down the “device” rather than the servers, firewalls, etc.

Will have to read this article he’s done too – about the differences between “identity” and “authentication” :

  • It’s Me, and Here’s My Proof: Why Identity and Authentication Must Remain Distinct
  • Other lessons for me (as a developer)

  • New Threat Modelling Tool just been released in BETA – should be done as part of the analysis & design phase – very hard to “retro-fit”.
  • Don’t run dev machine as ADMIN – it’s a big vulnerability, running code with bugs during dev
  • Be aware of security hacks/issues – it’s a developers problem (ie. app-level) – not infrastructure & networking problem.
  • Protect the device that actually needs to be protected – don’t rely on server-side firewalls, etc
  • A good “wake-up call” kinda session – with lotsa yummo pizza…!!

    Update : Forgot to mention about a book that was recommended, about the “social engineering” – ie. not on computers – but people-driven. The Art of Deception: Controlling the Human Element of Security.


    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s