Security for Developers

9:00am – 5:00pm
S1 - A Day of .NET Security
Keith Brown

Building secure applications involves much more than calling security APIs. It takes careful design that considers threats and applies countermeasures that solve real problems, instead of just making the application harder to use. It takes a development team that knows how to write code free from security flaws, with the foresight and funding to review that code to eradicate flaws before they can be exploited. Ultimately, it takes education.

This all-day security tutorial will open your mind to threats that your application will face, along with remedies and mitigations against those threats. You'll see real attacks in action, so be prepared for a shock. This symposium covers exploits ranging from buffer overruns in C++ to cross site scripting in ASP.NET. See exploits against managed code that you may not have thought were possible. Learn why we say, "Assume all input is evil until proven otherwise!"

Some of the countermeasures we cover include the use of the Data Protection API (DPAPI), parameterized SQL queries, integer overflow checking, partially trusted ASP.NET applications, along with discussions of authorization schemes such as delegation versus trusted subsystems. We also discuss threat modeling as a great way to build in security from day one on your project.

   Back to Top   

Tuesday, Oct 26

9:00am – 10:30am
Keynote

10:45am – 12:15pm
S2 - Writing Secure Code
Keith Brown

An application can use the very best encryption algorithms, authentication mechanisms, and other security technologies, but if the developers writing the code don't take some basic precautions, the resulting application will be riddled with security vulnerabilities. Buffer overruns, format string vulnerabilities, and integer overflows are common bugs that can allow an attacker to completely take over a program written in a language like C++. But even in managed code, SQL injection vulnerabilities, cross site scripting, and other phenomena such as the Turkish 'I' syndrome are still rampant, and can lead to serious security breaches. Attend this session and learn how to protect yourself against these attacks by tracking and validating untrusted input and keeping the attacker out of the control channel.

1:45pm – 3:15pm
S3 - Threat Modeling
Frank Swiderski

Threat modeling has become one of the top security analysis methodologies that Microsoft's developers use to identify risks and make better design, coding, and testing decisions. The threat modeling process is a structured approach you can use to assess the security vulnerabilities for any application, regardless of platform. Software designers and developers will discover how to use threat modeling during the specification phase of a new project or a major revision-from verifying application architecture to identifying and evaluating threats and designing countermeasures. Test engineers can use threat-modeling principles when creating test plans to verify results. It is an essential process for software professionals responsible for designing, refining, and maximizing the security features in their application architecture.

3:30pm – 5:00pm
S4 - Introduction to Code Access Security
Keith Brown

In traditional Win32 applications, the operating system authorized access to resources based purely on who was running the program. This is user-based security, and it works well, but in today’s world of increasingly mobile code, it's important to also be able to authorize based on evidence from the code itself. This is evidence- or code-based security, and places additional restrictions on managed code. Now a process doesn't run with just one privilege level: each individual assembly might run with a different level of privilege, depending on where it came from, who signed the assembly, and the degree of trust the enterprise places in the code.

This introductory session will cover evidence, policy, permissions, and runtime enforcement (stalk walking, etc.) If you plan on deploying code via ClickOnce (or even to Longhorn in the future), you really need to familiarize yourself with code access security!

   Back to Top   

Wednesday, Oct 27

9:00am – 10:30am
S5 - Cryptography Myths and Mistakes
Steve Johnson

In today's hostile, interconnected computing world, it's more important than ever that software systems protect stored and transmitted data. To fulfill this requirement, we often wave the magic wand of cryptography at our applications and feel that we are secure. Unfortunately, many myths cloud our understanding of cryptography and many common mistakes render good cryptographic technology useless. In this session, Steve will uncover some of the most common of these myths and mistakes and point you to the correct way to utilize cryptography in your applications.

Passwords are a necessary evil in our increasingly internetworked society. It seems like every website you visit these days requires a password. This session will look at passwords from two perspectives: that of the computer user, who is required to juggle so many of them, and that of the server, who is required to maintain a database of passwords that is secure from compromise. We will talk about what makes up a good password, look at some free tools that manage passwords, and discuss how to build a robust password database by salting and stretching user passwords on the server. You'll see some really neat techniques and tools in this session. Don't miss it!

1:45pm – 3:15pm
S7 - Writing least privilege apps
Robert Hurlbut

Most users work on computers where they don't have administrator privileges. Some applications require administrator privileges, hence forcing users to either run with higher privileges, or not use the products at all. Running with higher privileges can lead to serious security problems. The solution is for developers to learn to write least-privileged applications. Writing least-privileged applications is not easy--it is something that needs to be learned as well as learning a new lifestyle. In this session, I will introduce practical ways to develop least-privileged applications in .Net. Also, the developer will learn the lifestyle changes recommended for writing effective least-privileged applications.

3:30pm – 5:00pm
S8 - Hosting applications in secure AppDomains
Robert Hurlbut

The .Net Framework gives developers the ability to write trusted applications that can load and control other assemblies. This technique is called hosting and it is a powerful way to extend the .Net Framework security system when developing pluggable components. In this session, I will describe how AppDomains can be created and used to isolate assemblies as well as how to control the trust levels associated with code in the AppDomains. I will also introduce developers to the CLR hosting API, as well as techniques used to secure unmanaged clients.

   Back to Top   

Thursday, Oct 28

9:00am – 10:30am
S9 - Security Context in Multithreaded Applications
Mike Woodring

Elements of the security enforcement model in .NET applications are inherently thread-centric; the most obvious of which are impersonation and stack walking to verify the presence or absence of CAS permissions, assertions, or denials. This means that care must be taken to understand the implications of what security-related information is (or isn't) propogated from one thread to another when you decide to leverage any of the multithreading capabilities of the CLR. In this session, Mike will explain how the current version of the CLR deals with CAS permision, marker and principal propogation when you leverage the thread pool or spawn dedicated threads on your own. He'll then discuss upcoming changes to the threading model in Whidbey to support more seamless cross-thread security information propogation as well as previously unavailable manual propogation techniques.

Application programmers usually focus on normal execution paths, attackers on error conditions. Penetration Testing is the process of analyzing applications and infrastructures through the eyes of an attacker and to use exactly the same techniques and tools these people would use.

This session gives the theory behind auditing and penetration/security testing and introduces proven methodologies. Common programming pitfalls like input validation flaws including sql injection, cross site scripting and directory traversal, asp.net misconfigurations and overall "hackable" application designs are shown with a detailed explanation how to exploit these security holes. After this session you will have the knowledge to start testing your own applications for security problems and using tools to automate these tests.

1:45pm – 3:15pm
S11 - Designing Application Managed Authorization
Dominick Baier

Authorization is a task, which every programmer has to face sooner or later. While authentication is handled in most situations by the operating system, authorization concepts have to be designed on a per application basis. The .NET Framework provides various authorization mechanisms to control the functionality of applications so that they behave as intended and cannot be misused either accidentally or deliberately. These include role based access checks using windows or non-windows accounts, Microsoft Authorization Manager, COM+ role based security and code access security authorization. This session provides guidelines for designing and coding application-managed authorization for single or multi-tier applications that are based on .NET. It focuses on common authorization tasks and scenarios, and it provides information that helps you choose the best approaches and techniques.

3:30pm – 5:00pm
S12 - .NET Obfuscation: How much does it protect your IP?
Brent Rector

People sometimes say that in .NET, when you ship your binary, you are also shipping the source code to it. How much should you worry about intellectual property protection when writing .NET applications? Does code obfuscation provide additional protection against reverse engineering of your application? Brent Rector, a noted expert in this area, will give a frank and honest report on the state of intellectual property protection in .NET.

   Back to Top   

Friday, Oct 29

9:00am – 10:30am
S13 - ASP.NET 2.0 provider model
Fritz Onion

The pairing of new security controls and a comprehensive security provider in ASP.NET 2.0 greatly simplifies the construction of secure web sites. One of the most compelling examples of the new 'provider model' supported in ASP.NET 2.0 is the security provider. This provider is split into two, with the Membership provider managing authentication, passwords, and users, and the Role provider dealing with role membership. The integration with the new security controls in ASP.NET 2.0 makes building robust, efficient forms-based authentication into your sites very straight-forward.

This session will look at the new security features in ASP.NET 2.0 from three perspectives. First, we will look at the simplest use of the controls and the providers where an Access database is automatically generated for you to store user credentials and role membership. Second, we will see how to augment an existing SQL database with the necessary schema to support these new security features. Third and finally, we will look at building custom providers to map onto existing database schemas.

10:45am – 12:15pm
S14 - Unit Testing Security
Keith Brown

Unit testing has really taken off on the .NET platform, especially given the availability of tools like NUnit and the upcoming Visual Studio Team System. The popularity of Test Driven Development and agile methodologies has helped as well. Unit testing is great for security, because it helps ensure that you're producing robust code, and more robust code often means more secure code. But testing the actual security mechanisms in your code: role-based security and code-based security (partial trust scenarios) has always been tricky. Your unit test can't easily change security contexts to run tests as different users. In this session we will discuss some ideas for building testable security subsystems.

1:45pm – 3:15pm
S15 - What's new in Whidbey
Keith Brown

This talk will cover upcoming security features in v2.0 of the .NET Framework.

3:30pm – 5:00pm
S16 - A Gentle Introduction to Active Directory Programming
Keith Brown

Enterprises that adopt Active Directory (AD) can reap big benefits from integrating with it programmatically. AD is a great place to store relatively static data such as organizational structure, user security information, etc. and if you're an enterprise developer working in .NET, you simply must know how to program using System.DirectoryServices. This session will introduce the topic by first explaining what AD is, how it works, and how you can program against it. Come explore your directory!

   Back to Top