Last night, I attended the Microsoft Security Summit – with a few other SDM’ers. This turned out to be more like a BIG “user group” session – lots of prezzo’s – a few that felt fairly rushed – and good opportunity to ask questions.
As the name suggests, it was mainly about “Security” – both the need for network security – as well as within applications (ie. for dev’s – that includes me !)
While not a major code-session – or horizon/hype (didn’t even see VS.NET or anything Vista oriented) – I took away more than I’d first anticipated – and a few horror stories to highlight vulnerabilities.
Lots for IT Pro’s to devour – including “M.O.M.” – Microsoft Operations Manager – for secure Active Directory, and management of servers.
Biggest “highlight” was a coverage of application vulnerabilities – SQL Injection attacks – truly terrifying ! One of the prezzo’s was to show how a web-site could be compromised – using SQL statements within a “search” field – to retrieve users, products, and so on. Truly terrifying.
And another URL hijack was shown – to display the web.config file. A few “gasps” within the audience – probably from having the DB Connect String in the config file – assuming it was safe !!
One of the highlights was Steve Riley – a self-proclaimed loud yank – with some no-so-silly ideals about security. Including locking down the “device” rather than the servers, firewalls, etc.
Will have to read this article he’s done too – about the differences between “identity” and “authentication” :
Other lessons for me (as a developer)
A good “wake-up call” kinda session – with lotsa yummo pizza…!!
Update : Forgot to mention about a book that was recommended, about the “social engineering” – ie. not on computers – but people-driven. The Art of Deception: Controlling the Human Element of Security.