My jam-packed session at DevDays - Defenses and Countermeasures - shows a huge amount of solutions of things you can do to try to keep the hackers out. It was frustrating not to be able to get into the details of all of the great information that was in there due to the time limitation.

I think it would be interesting to look at all of those lessons in tiers.

The first tier would be basic, easy to remember, somewhat easy to implement solutions like:

• never use sa as the account to access your database
• use integrated security to access your database when you can, however if you *must* use uid & pwd your db access strings, hide them. THere are a number of ways including: use the configuration applicaton block which has this ability built via a wrapper to DPAPI OR encrypt the string yourself before putting it in your web.config file (in .net 1.x you will need to build your own little dpapi library to help you do this as well as to decrypt) OR encrypt to string and stuff it into the registry
• check query strings in URLs to make sure they don't include possible sql injection strings - this is pretty easy to just do in the page load
• use stored procedures FIRST, paramaterized queries as a 2nd option and concantenated queries never
• validate data entry to limit possiblity of characters that are used for sql injection or cross-site scripting attacks
• never use the system account for your web application
• htmlencode all output back to the browser

Even with this top tier list, there are two audiences. The first audience only needs the list and either know how to accomplish these things or knows how to find them. That audience just wants a check list, then you can also talk about a LOT more things. THe other audience would need this list to be the entire one hour presentation so you can really dig into each thing - how to do the encryption, looking at the difference between the effect of a query string with a sql injection attack and a stored procedure with the same attempted sql injection attack, experiment with the variety of other ways to prevent nasty input.

I will be thinkig about all of this a lot until the next DevDays  (in Boston) where I will presenting this session again.

Peter (Tabula PC) drops a hint about upcoming Tablet PC goodies...but says don't get too excited, it's not a big deal. Funny, but regardless of his caveat, I'm still awfully curious!

I am getting some great feedback in my last two security related posts from people who have been thinking about, working with and dealing with asp.net security a lot longer than I have.

DEFINITELY read the comments by Steve Smith and Sam Gentile in my last post.

And don't miss the comments by Anil John and Andrew Duthie in my post on  the RequestValidation feature in ASPNET 1.1.

There is no ONE solution to security. Threats are coming at you from many many angles. You have to protect yourself in many many ways and then you still won't be done.

One of the points that is made in the Defenses and Countermeasures session that I am doing for DevDays is that what we are doing with all of these steps is not assuming that we are eliminating all security problems, but instead, we are continuously raising the bar for potential hackers. Making it harder and harder for them to do their deeds.

Don't we all? Isn't it what we were told to do. ASP.NET protects the web.config file so nobody can browse to it and see your connection strings, logins and passwords and whatever else you have hidden in there. Right?

But guess what, that's just not good enough anymore! Hackers who know how to get into your webserver and get around asp.net can get at the web.config file.

This is one of the things we are talking about in the DevDays ASP.NET Security track.

One of the ways to protect the strings is to encrypt them (which isn't so hard) but decrypting them *is* (and should be, if you think about it...). DPAPI (a win32 api - not managed code) is used to handle the keys for encrypting and decrypting your data but it is pretty confusing to use especially if you are not used to dealing with unmanaged code. (In that case, if you want to get more comfy with that, keep up with Sam Gentile's MSDN series on COM Interop.)

Enter the Configuration Management Application Block for .NET . Among it's features is it's ability handle this encryption/decryption for you.

How does the Configuration Management Application Block improve the security and integrity of application configuration data?

Regardless of the type of data or the store in which the data is held, you can configure the Configuration Management Application Block to use the data signing and encryption services provided by a Data Protection Provider. The Configuration Management Application Block provides two Data Protection Provider implementations and the extensible architecture of the Configuration Management Application Block means that you can easily seamlessly integrate your own Data Protection Provider implementation

Phew! (You'd be saying that too if you looked at the code for working with DPAPI.)

Also - Whidbey will have a managed wrapper for DPAPI so a lot of this will be easier to do yourself down the road. My understanding is that this is actually related to the work that was done for the App Block. (Or maybe the other way around?)

Did you know that ASP.NET v1.1 automatically checks for possible scripting attacks when users enter info into you forms? I didn't! I learned it in my prep for my DevDays session.

So this:

(with Errors =”Off” in web.config) results in this: (click to enlarge)

This protection is on by default. It is controlled in a few places. See this article on Microsoft's ASP.NET site for more details.

Peter Rysavy LOVES infopath (here and here). His love is noted by Robert Scoble.

Dave Burke is not so in love with infopath. Dave's opinion was noted by Joris Evers of IDG and Dave was interviewed for this article about InfoPath in InfoWorld!

Having been a developer for over 20 years, I appreciate what Clemens is talking about in this discussion.

1) Where do you want to go, Aiden

2) Free stuff vs. Free Stuff

Makes my day. The owner of my favorite/biggest client treats me like a business partner. He tells me his visions and let's me do whatever I think it takes to make them a reality. He pays me plenty. I love the company and over the past 7 years of working with them have a great sense of ownership of what goes on there and am very proud of my contributions. But still, he pays me plenty. So to have him stop to tell me “thanks for everything” means so much to me. He said what we have accomplished in the past year is now setting his company up for another fantastic growth spurt. He knows that my dedication to his company goes much deeper than my billables. I am *so* incredibly fortunate to have a client like this.

Building relationships with clients is what keeps you in business. Every time I have ever been asked to talk about this side of my business (I have been a contractor for nearly 18 years now) this is always the most important factor that I highlight.

Avonelle, James, Andrew, Scott - I absolutely respect everything you are saying which is why I am leaving your comments in tact.

I do not have the energy or heart to keep trying to fix what I have written to express properly what I am saying so that it does not insult anyone other than possibly the one person I was writing about - nor do I have the courage to even attempt to debate this with you. I am not expressing myself well. You all are very clear with what you are saying.

this is pretty funny!

I'm sure it was a hardware problem...

Even though some long haired freak came by and made faces at me while I was doing this interview, it actually sounds pretty good! (I think). http://www.sys-con.com/story/?storyid=43782.

just time for a couple of quick notes on Edge 2004 East

I finally got to meet Dave Seidel in person - we have a bit of a funny history so it was fun to meet up. I also got to catch up with Jim Murphy (leader of New Hampshire's .NET User Group who gave a fantastic talk to VTdotNET in June 2002 on GC) who also works at MindReef and got to spend some time getting some insights (and providing some feedback) on their awesome SoapScope web service analysis tool.

Carl Franklin, Pat Hynds, Ted Neward and Michael Steifel all came to my presentation. I decided not to be daunted by this pack of gurus and was extremely fortunate to have some truly wonderful feedback from these very experienced speakers after the fact.

After I did my talk, I found an email from Kit George with all kinds of great pointers to improve my deck (and my knowledge)! I'll implement them anyway since I will be uploading the deck as well as doing this talk again at DevTeach. Thanks Kit!

I got a pre-press copy of Paul Vick's new VB book for Addison-Wesley. Thanks Curt! And met another one of my email pals from A-W...Heather Mullane.

I was interviewed by Jeremy Geelan for sys-con radio to replace my (so bad I have never listened to it) interview they did at PDC. Only got asked one ringer question, the interview was fun. Here's the interview  (which I haven't listed to yet either)... and  they got a lovely photo of my nose...egads!!

I almost died of a heart attack as a back seat passenger of Pat Hynds car driving around Boston. I'm sure he and Ted are still laughing their asses off at what a whoos I am!

Thanks Derek for taking us to “Cheers” for dinner. After being surrounded by so many Java people for the days there, it was great to be with many of my .NET pals (that includes Ted)!

I attended Pat's ASP.NET Security talk. Can't hear these things too many times (especially in prep for next week's devdays talk.)

Had a total blast with Ted Neward - he and another pal of his from TSS and I went to the OLDEST restaurant in America  - the Union Oyster House.

Gotta run... Hopefully I'll get to come back and link. (did it!)

Werner reports positively on having Bill Gates at the Cornell Campus. Quite a different view fromt Ajay's report from Carnegie-Mellon!

The folks on the infrastructure committee for INETA, especially Devin Rader, are building a phenomenal new website for INETA. They are spending a lot of their personal time on this, as it is a volunteer project, and would welcome some volunteers with C# and ASP.NET experience to help them out. Read more at http://www.ineta.org/developers/

just time for a couple of quick notes on Edge 2004 East

I finally got to meet Dave Seidel in person - we have a bit of a funny history so it was fun to meet up.

Carl Franklin, Pat Hynds, Ted Neward and Michael Steiffel all came to my presentation. I decided not to be daunted and was extremely fortunate to ahve some great feedback from these very experienced speakers after the fact.

After I did my talk, I found an email from Kit George with all kinds of great pointers to improve my deck! I'll implement them anyway <g> Thanks Kit.

I got a pre-press copy of Paul Vick's new VB book for Addison-Wesley. Thanks Curt! And met another one of my email pals from A-W...Heather Mullane.

I was interviewed by Jeremy for sys-con radio to replace my (so bad I have never listened to it) interview they did at PDC. Only got asked one ringer question, the interview was fun.

I almost died of a heart attack as a back seat passenger of Pat Hynds car driving around Boston. I'm sure he and TEd are still laughing their asses off at me.

Thanks Derek for taking us to “Cheers” for dinner. After being surrounded by so many Java people for the days there, it was great to be with many of my .NET pals!

I attended Pat's ASP.NET Security talk. Can't hear these things too many times (especially in prep for next weeks devdays talk.)

Had a total blast with Ted Neward - he and another pal of his from TSS and I went to the OLDEST restaurant in America  - the union street chowder house.

Gotta run... Hopefully I'll get to come back and link.

I have had the good fortune of meeting one of the two Dave Chappell's, this one, at TechEd and again at PDC. Right now I am sitting with the “other” Dave Chappell. But now he is the other other Dave Chappell as he has recently [and quite proudly] lost 60 pounds.

Today, I was looking at a little website I did for my mom's book in 2002 and really surprised myself at what pretty website it is. I just wanted to show it off. Getting stuck with design work is really daunting for a developer. It's just a little frontpage site that uses bcentral, but it was perfect for them. They have sold hundreds of books from it too!

I have also always been very proud of the site I did for my sister's company, Katie's Bumpers. That is also a Frontpage site that ueses bCentral for e-commerce. I started this site for her when she began her business in January of 2002. She now has her products selling in over 500 stores in the U.S. and Canada and also some catalogs!

I have to admit that I really struggled with both of these, since I was given no direction really as to what the “look” should be at all. I know what I like and don't like, but not how to get there. So I just kept changing and changing and changing it until I finally liked the way it looked.

I thought this was funny - but geeze Ted, you HAVE a real, grown-up title now!!

This is just the schedule of when we are getting interviewed by Sys-Con Radio while at the Edge 2004 East conference. I need a replacement for my bomb interview (well, I never listened to it really but I'm pretty sure it sucked) that they did at PDC.

Latest goody in the spam box:

a company in Thailand that is offering polygraph services for potential and current employees as well as hand-writing analysis and on-line ethics tests. A new low...

Pre-employment   polygraph    testing After you interview your candidates and you choose the one you think youwould like to hire, we will polygraph them to verify their CV. It is thefastest and easiest way to do it instead of trying to verify previous educationand employment by phone or letters that takes a long time. And sometime doesnot get the response on time or at all. We can provide you with pre-employmentpolygraph testing. This will verify the information on the CV from thecandidate him self. And usually you will get all the information you need thesame day or the next.
Periodic     screening For any size company that need to check on periodic basis that employeesare keeping with company roles and regulations. We will polygraph a fewemployees on monthly or bi-monthly basis. The employees never know when thetesting will take place or who will be tested.
Fact   finding    (specific issues) When ever company roles and regulations are broken or any kind ofdisputes, polygraph is the best way to get to the truth.

I love this post from fellow Vermont resident (we are only “flatlanders”-- the definition of “Vermonter” is “five in the ground”...) on his geeky desire to have an excuse to really dig into xml serialization that was battling with the sanity of not overextending his architecture on a simple website that he is doing for a local charity. Read on...