OK so we are at our final day of TechEd and I thought it pertinent to go listen to a session on security with focus on web app security so much in focus these days. Keith Brown of Pluralsight did the presentation which amounted to a good talk about well-known attacks which we need to be aware about like SQL Injection, cross site scripting, and finally SQL Truncation attacks which is a new thing. Really not much new there but he did provide some techniques for dealing with it.
Of course we all know that the way to go with SQL Injection is to always use parameterized queries and that's the end of it. Basically what we need to be aware of is that dealing with string concatenation will cause problems at some point so try to avoid it. We don't have many instances in our applications where we absolutely need to use dynamic queries and I think the same thing goes for many others.
Cross site scripting is actually an area which I haven't given much thought, probably because of the inherent nature of the systems I do. Cross site scripting is what happens when we allow a user to input unsafe values into an application such as HTML and script code. If we persist this data in say a forum application, we'll end up in a situation where the unsafe input may be presented to other users of your site and that will cause problems. The answer to this of course to filter unsafe data. Microsoft patterns and practices has a tool which will help you do so it's called Microsoft Anti-Cross Site Scripting Library; quite the mouthful too :) It's a basic class with two methods for filtering and replacing in a string before you store it or send it to the user.
Also Microsoft has a tool for doing threat modeling. I thank we all do threat modeling at some level but seldom we get around to putting the information into structured form. Microsoft Threat Analysis & Modeling v2.0 allows us to store the information in a structured manner and it will even help us by analyzing and comparing the information to a threat database which contains known exploits in order to do a visualization of the application and it's weak spots.
Main points of the talk:
Disclaimer The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.