Tuesday, 28 February 2006

Microsoft Security Interchange notes

Last night Gary, Chris and I attended the Adelaide edition of the Microsoft Security Interchange evenings that they are running around the country.

It was a relaxed evening, but there were some good speakers. Most interesting and entertaining would have to be Steve Riley. I've heard Steve and Jesper talk at TechEd previously, and he is a very compelling presenter. I wish some of the ISTS guys had been there to hear him talk about how "account lockout" is just a great way to mount DoS attacks on user accounts. It's also worth repeating the security tradeoff triangle diagram:

Rocky Heckmen also did an interesting presentation where he showed a new tool that will be released soon from Microsoft that helps with Threat modeling.

Dave Glover finished up with some demos of techniques to help improve code security. Sadly, encrypting web.config didn't work for him on the night, but he did also mention the Anti-Cross Site Scripting Library that I blogged about last week. Turns out this includes security-conscious versions of the Server.HTMLEncode and Server.UrlEncode functions

No comments: