tag:blogger.com,1999:blog-31414055161100144352024-03-12T22:59:29.011-04:00Roxberry's OWASP BlogMark Roxberry's blog for OWASP content, articles and ideas.Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-3141405516110014435.post-1854361389026989082010-08-07T13:01:00.001-04:002010-08-07T13:01:42.329-04:00ORG2 Schedule<p>Here’s the tentative schedule I have for my stab at the ORG2 project:</p> <ol> <li>August 2010 – Prototyping, Envisioning, Backlog <br />Using Flex 4, I’ve developed a capability app to make sure that the features I want to deliver are possible.  I have been able to preview PDF’s, generate PDFs from XML based templates, read log files and a few other high priority ideas.  There are a few more exploratory ideas that I need to prototype, e.g. drag and drop report design to export to XML.  Then I will revise my UI envision, throw anything that cannot be done quickly but is not mission critical into the backlog and get cranking on the Shell. </li> <li>September 2010 – Shell Development Phase 1, release to select OWASP folks for initial impressions. <br />Get a Shell out for look and feel.  Get it set up to work with a provider model. </li> <li>October 2010 – Provider Development Phase 1 <br />Start to convert the original ORG stuff. </li> <li>November 2010 – Community Preview, Open up development to contributors <br />Depending on our progress in the previous 3 sprints, open up to the public and start a feedback loop (and contribution loop) </li> <li>December 2010 – Alpha Release, KB/Training materials <br />When we have something is usable, start the promotion cycle. </li> </ol> <p>Stay tuned!</p> Mark Roxberry, OWASPhttp://www.blogger.com/profile/15770438904320308248noreply@blogger.com2tag:blogger.com,1999:blog-3141405516110014435.post-60164880689756754532009-07-23T00:49:00.001-04:002009-07-24T09:16:03.083-04:00ORG2 Roadmap Thoughts<p>ORG2 currently lives at Google Project Hosting:</p> <p><a href="http://code.google.com/p/org2/">http://code.google.com/p/org2/</a></p> <p>The vision:</p> <p>ORG2 will be a reporting tool that sets the standard for reporting tools.</p> <p>I spend a great deal of time when I put together reports, proposals and documentation in general. I believe that documentation is one of the most important tasks we do as professionals and a reflection on our professionalism. Because of this, I will invest the time to seek out the best of class documents, or the industry standard template. </p> <p>For example, when I started out as a software developer I was asked to produce a design document. First question that I asked was, what is the standard? Does the company that requested the design use a standard template? At the time, no, there was no standard at the company. So my next step was to look beyond the company. Using the power of the internets I found several decent documents and proposals. Some of these documents seem to follow a pattern and I was able to narrow my search to find that pattern. Turns out IEEE 830 is the pro forma standard and so it became my source. I tailored it for the company and my timeline, but I at least had some idea of what proposals and designs could include.</p> <p>That was over a decade ago.</p> <p>Today, I have a folder of templates that I use to maintain my professional standard. I have comprehensive Technical Design Document templates, templates for Executive Summaries, Threat Models, Analysis Results and other business forms. I have various disparate applications that I use to create documents and reports. Beyond my personal process, my clients have similar needs and similar “organization” techniques and challenges.</p> <p>A little better for sure, but not optimal.</p> <p>I see ORG2 as an opportunity to create an optimal tool for documentation to replace my manual, inefficient method.</p> <p>The vision is to create a Reporting Framework with components for specialized data collection, comprehensive reporting libraries, checklists, knowledgebases, visualization tools, wikis, notetaking and collaboration tools. More detail and brainstorming on each of these areas will follow this blog.</p> <p>On top of this framework, “Report Providers” will be created and can be plugged in for specialized documentation. For our first report provider, we will rebuild the Penetration Tester tool produced in the original ORG application as a proof of concept.</p> <p>We hope to continue to use the framework to develop other report providers for OWASP. We are looking at Secure Development Lifecycle documentation and potential for an SDL Report Provider. Beyond OWASP, the ORG can be leveraged for a myriad of reporting and documentation needs and it’s my hope that ORG will be the gold standard of documentation tools.</p> <p>Pie in the sky, over ambitious, maybe. Potential for a great tool, definitely. I can’t wait to see this come to life.</p> <div style="padding-bottom: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; float: none; padding-top: 0px" id="scid:0767317B-992E-4b12-91E0-4F059A8CECA8:29b7d785-2d20-44d6-ad35-dc597de30107" class="wlWriterEditableSmartContent">del.icio.us Tags: <a href="http://del.icio.us/popular/org2" rel="tag">org2</a>,<a href="http://del.icio.us/popular/security" rel="tag">security</a>,<a href="http://del.icio.us/popular/reporting" rel="tag">reporting</a></div>Mark Roxberry, OWASPhttp://www.blogger.com/profile/15770438904320308248noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-57419299559817998702009-03-07T17:22:00.002-05:002009-03-07T17:26:44.881-05:00OWASP .NET Project UpdateHi everyone, I'm putting a call out for any .NET security content to add the OWASP .NET project site. What is everyone's current .NET Security concern or challenge? Is it a matter of sorting through resources or lack thereof, lack of tooling, communication to stakeholders? I've seen increased activity in client concerns, not sure if the economy has people more security conscious or what, but I would be interested in your observations.<br /><br />I have a few items that I've been tracking:<br /><br />ASP.NET MVC Security - <a href="http://blog.wekeroad.com/blog/aspnet-mvc-securing-your-controller-actions/">Securing Controller Actions</a><br /><br /><div><div><div>Silverlight Security - <a href="http://tinyurl.com/slsec">Security Guidance for Writing and Deploying Silverlight Applications</a><br /><br />I'm interested in assurance of security controls and real world testing of these platforms. If anyone has related information or has other topics of interest, let me know.<br /><br />I've been heads down on a few projects and hope to contribute some primary research to the project soon. Specifically, I'm doing some Sharepoint security reviews and best practice checklists that may be of interest to this group. Office Small Business Live is also on my radar as it is Sharepoint and allows for developers to create business applications in .NET, but lives in the "cloud". What concerns do we have for cloud computing?<br /><br />On a formatting note, I will also be tabifying the .NET project page, like <a href="https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API">OWASP ESAPI</a>. I expect to see a lot of the OWASP primary project pages adopt the tabification.</div></div></div>Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-25923862689395577832008-09-08T18:31:00.001-04:002008-09-08T18:31:34.387-04:00Microsoft Bluehat v8.0<p>Scheduled for 10/16 and 10/17 this year, the thrust of the Fall session is the Security Development Lifecycle, :</p> <blockquote> <h3>Microsoft BlueHat Security Briefings</h3> <h5>What is BlueHat?</h5> <p>BlueHat is a twice a year, by-invitation-only Microsoft security conference aimed at bringing Microsoft security professionals and external security researchers together in a relaxed environment to promote the sharing of ideas and social networking. BlueHat is a cutting-edge conference aimed at improving the security of Microsoft products. BlueHat continuously seeks out new and innovative material, highlighting important emergent technologies, techniques, and industry best practices.</p> <ul> <li>Vulnerability economy </li> <li>Web application security </li> <li>Mobile/Wireless devices </li> <li>Crimeware </li> <li>Penetration testing and fuzzing </li> <li>Architecture flaws </li> <li>Network design and compromise </li> <li>Reverse engineering </li> <li>Exploit development </li> <li>Intrusion prevention </li> <li>Cryptography </li> <li>Lions and tigers and bears</li> </ul> </blockquote> <p><a title="http://technet.microsoft.com/en-us/security/cc748656.aspx" href="http://technet.microsoft.com/en-us/security/cc748656.aspx">http://technet.microsoft.com/en-us/security/cc748656.aspx</a></p> Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-15775144626089605132008-08-27T22:20:00.001-04:002008-08-28T12:15:17.071-04:00Space Virus<p>“In Space No one can hear you scream” – tagline for the sci-fi classic “Alien”.</p> <p>I’m sure astronauts at the ISS are screaming at their computers.  Apparently, one of the astronauts unleashed the Gammima.AG virus via a USB stick:</p> <blockquote> <p>“The laptops carried by astronauts reportedly do not have any anti-virus software on them to prevent infection. </p> <p><a href="http://lh6.ggpht.com/roxberries/SLYLVhDNNpI/AAAAAAAAAOA/gIpAqcD8srM/s1600-h/hal%5B9%5D.jpg"><img title="hal" style="margin: 0px 15px 0px 0px" height="120" alt="hal" src="http://lh4.ggpht.com/roxberries/SLYLVqkzHVI/AAAAAAAAAOE/y1CL5PSxW_0/hal_thumb%5B7%5D.jpg?imgmax=800" width="120" align="left" /></a>Once it has scooped up passwords and login names the Gammima.AG worm virus tries to send them back to a central server. It targets a total of 10 games most of which are popular in the Far East such as Maple Story, HuangYi Online and Talesweaver.”</p> </blockquote> <p>No Command/Control computers are affected (as far as they know)</p> <p> </p> <p>Article: <a title="http://news.bbc.co.uk/1/hi/technology/7583805.stm" href="http://news.bbc.co.uk/1/hi/technology/7583805.stm">http://news.bbc.co.uk/1/hi/technology/7583805.stm</a></p> Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-43707841083892739312008-06-29T16:36:00.000-04:002008-06-29T16:36:58.080-04:00Catching up with Summer of Code 2008<p>June 29th, the 50% mark for Summer of Code 2008 is here.  Here’s an unofficial update of what has been done for the OWASP .NET Project for SOC 2008:</p> <p>Goal 1:  OWASP .NET Site Reorganization</p> <blockquote> <p>Pages (I’d say I’m about 50% done – there’s a ton of stuff that I *want* to add, but as far as what is useful and relevant, the content is about 50% there.)</p> <ul> <li><a href="http://www.owasp.org/index.php/Category:OWASP_.NET_Project">OWASP .NET</a></li> <li><a href="http://www.owasp.org/index.php/.NET_Security_for_Architects">.NET Security for Architects</a></li> <li><a href="http://www.owasp.org/index.php/.NET_Security_for_Developers">.NET Security for Developers</a></li> <li><a href="http://www.owasp.org/index.php/.NET_Security_for_IT_Professional">.NET Security for IT Professionals</a></li> <li><a href="http://www.owasp.org/index.php/.NET_Penetration_Testing">.NET Penetration Testing</a></li> <li><a href="http://www.owasp.org/index.php/.NET_Incident_Response">.NET Incident Response</a></li> <li><a href="http://www.owasp.org/index.php/OWASP_.NET_Active_Projects">OWASP .NET Active Projects</a></li> <li><a href="http://www.owasp.org/index.php/OWASP_.NET_Vulnerability_Research">OWASP .NET Vulnerability Research</a></li> <li><a href="http://www.owasp.org/index.php/OWASP_.Net_Project_Roadmap">OWASP .NET Project Roadmap</a></li> <li><a href="http://www.owasp.org/index.php/OWASP_.NET_Recommended_Resources">OWASP .NET Recommended Resources</a></li> </ul> <p>Special Projects becomes <a href="https://www.owasp.org/index.php/OWASP_.NET_Vulnerability_Research">Vulnerability Research</a></p> <p>After discussions with OWASP .NET Project contributors and Dinis Cruz, added <a href="http://www.owasp.org/index.php/OWASP_.NET_Recommended_Resources">Recommended Resources</a></p> </blockquote> <p>Goal 2: OWASP .NET Project Outreach</p> <blockquote> <p>Presentation Materials for OWASP & OWASP .NET & Software Lifecycle</p> <p><a href="http://owaspdotnet.blogspot.com/2008/05/project-bullet-points.html">OWASP .NET Bullet Points</a></p> <p>Community Outreach</p> <ul> <li>User Groups – I gave a 10 minute introduction to OWASP .NET Reorg in the OWASP EU App Sec 2nd Keynote.  I reached out to OWASP Philadelphia and New York to find time for me to present (still working on these), plan on reaching out to other groups for the 2nd half.)</li> <li>Forums - Participating in ASP.NET forum, I need to be more involved and find additional forums.</li> <li>Microsoft MVP Community – I reached out to Alex Smolen, a Security MVP who informed me that there was talk about having MVP’s participate in the OWASP .NET side.  I will continue to push for their involvement.</li> <li>Microsoft - I have a couple of contacts that I will work with at Microsoft to keep me in the loop.</li> </ul> <p>Media Outreach</p> <ul> <li>ISSA Journal - I was asked to submit an abstract for an upcoming issue of ISSA.  The editor is interested in a couple of ideas that I provided.  I will be completing this in the next few weeks.</li> <li>ISC2 Blog - I was giving blogging privileges for the ISC2 Blog (<a href="https://www.isc2.org/cgi-bin/content.cgi?category=538" target="_blank">CISSP</a> folks).  I haven’t found the right content to bridge security development and the CISSP level stuff, but I have a few ideas in my backlog.</li> <li>MSDN Magazine - I e-mailed the editor and he offered to present OWASP .NET as a resource for their Toolbox section.  I volunteered to provide anything required.</li> <li>OWASP Media Guidelines - As I’m working on an article for ISSA, I’m keeping a log of what things other OWASP authors might find useful.  For example, a standard blurb about OWASP and your project as part of your author introduction.</li> </ul> </blockquote> <p>Goal 3: OWASP Project Support</p> <blockquote> <p>Projects that I’m working with in addition to OWASP .NET Reorganization that will allow me to continue to recruit content for OWASP .NET</p> <ul> <li>Report Generator – I found a volunteer who is interested in continuing this work.  I started a backlog of improvements and have the code running locally.  I will find some time to get this moving.</li> <li>Testing Guide – I volunteered to review articles and fill in any gaps if articles need to be added.</li> <li>Reviewer for <b><a href="http://www.owasp.org/index.php/Category:OWASP_Application_Security_Tool_Benchmarking_Environment_and_Site_Generator_Refresh_Project">OWASP Application Security Tool Benchmarking Environment and Site Generator refresh</a></b></li> <li>Reviewer for <b><a href="http://www.owasp.org/index.php/Category:OWASP_OpenPGP_Extensions_for_HTTP_-_Enigform_and_mod_openpgp">OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp</a></b></li> <li>Side Projects:  <a href="http://owaspdotnet.blogspot.com/2008/06/sql-injection-vector-for-linq_10.html">Linq & Sql Injection</a>, <a href="http://owaspdotnet.blogspot.com/2008/06/owasp-net-shield.html">OWASP .NET Shield</a></li> </ul> </blockquote> <p>Here is the <a href="http://www.owasp.org/index.php/OWASP_.Net_Project_Roadmap">roadmap</a> going forward for the next half of Summer of Code 2008</p> Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-29874800948997425922008-06-26T23:31:00.003-04:002008-06-26T23:35:28.562-04:00.NET Incident ResponseCouldn't find specific .NET incident response guidance or tools, but there are a few good links to general incident response resources at <a href="https://www.owasp.org/index.php/.NET_Incident_Response">.NET Incident Response</a>. <br /><br />Some of the highlights include:<br /><ul><li>Carnegie Mellon's SEI Incident Response Handbook</li><li>NIST Special Publication for Forensics guidance</li><li>Helix as part of your response toolkit</li><li>and more.</li></ul>Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-36758251585715059252008-06-19T01:19:00.001-04:002008-06-19T01:20:38.313-04:00OWASP .NET Shield<p>I open sourced a project on CodePlex for handling SQL injection attacks.  The main piece is an httpModule that you can have check requests to the web server.  It’s very primitive at the moment, using a blacklist to filter request values (Querystring, Form and Cookies).  For example, “lend” and “Bender” both fail the validation check because the word “end” is on the black list (we will disregard the fact that we may use the word “end” somewhere).  So, what are the best practices for handling SQL statements posted to a web server?  Is there some preexecution check, or better heuristics for filtering?</p> <p>The project can be found here: <a href="http://www.codeplex.com/shield">www.codeplex.com/shield</a>.</p> Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-85563937022570298942008-06-10T00:29:00.002-04:002008-06-10T00:31:36.745-04:00Sql Injection Vector for Linq<p>I was going to name this blog post “You’re only as strong as your weakest Linq,” but I thought that would be trite (but funny enough not to not mention).</p> <p>Here it is: Linq is not impervious to Sql Injection, as claimed in <a href="http://www.devx.com/dotnet/Article/34653/1954">Eliminate SQL Injection Attacks Painlessly with LINQ</a>. While I agree with the statement in the article that to eliminate SQL Injection, eliminate SQL; the reality for Linq is not so cut and dried. The author states that “every SQL query that Linq executes on your behalf is parameterized.” This is not true. In fact, inline SQL is recommended to improve the performance of certain Linq queries:</p> <p>· see <a href="http://shrinkster.com/z2q">http://shrinkster.com/z2q</a> for improved performance</p> <p>· see <a href="http://shrinkster.com/z2p">http://shrinkster.com/z2p</a> for bulk updating issues with Linq</p> <p>· and here’s a fun one – passing the query to a function, <a href="http://shrinkster.com/z2o">http://shrinkster.com/z2o</a> ).</p> <p>It should be easy to see that the use of the DataContext ExecuteQuery and ExecuteCommand functions are problematic. Here is my proof of concept code using a simple example – a LinqDataSource and a web page with unvalidated input:</p> <p>I am using Visual Studio 2008 and SQL Server 2005. For the datasource I needed to create a DataContext. I created a database with a table named Trade to query against:</p> <p><a href="http://lh3.ggpht.com/mark.roxberry/SE4C-DrIqyI/AAAAAAAAALI/9aCF2JaqIBc/s1600-h/clip_image002%5B3%5D.jpg"><img title="clip_image002" style="border-width: 0px;" alt="clip_image002" src="http://lh4.ggpht.com/mark.roxberry/SE4C-tevopI/AAAAAAAAALM/-VcZZxSyZfY/clip_image002_thumb.jpg?imgmax=800" border="0" height="176" width="242" /></a></p> <p>Then I created the DBML for the DataContext by adding LINQ to SQL Classes and added my table to the design surface :</p> <p><a href="http://lh4.ggpht.com/mark.roxberry/SE4C_D4Bo8I/AAAAAAAAALQ/WQg8mVchPmE/s1600-h/clip_image004%5B3%5D.jpg"><img title="clip_image004" style="border-width: 0px;" alt="clip_image004" src="http://lh5.ggpht.com/mark.roxberry/SE4DAeyht9I/AAAAAAAAALU/ZtQCh3CZLts/clip_image004_thumb.jpg?imgmax=800" border="0" height="207" width="244" /></a></p> <p>I created a simple page (includes a LinqDataSource, a ListView, a TextBox and a Button):</p> <p>Default.aspx</p> <pre class="code"><span style="font-size:85%;"><span style="background: rgb(255, 238, 98) none repeat scroll 0% 50%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"><%</span><span style="color:blue;">@ </span><span style="color: rgb(163, 21, 21);">Page </span><span style="color:red;">Language</span><span style="color:blue;">="C#" </span><span style="color:red;">AutoEventWireup</span></span><span style="font-size:85%;"><span style="color:blue;">="true" <br /></span><span style="color:red;">CodeFile</span><span style="color:blue;">="Default.aspx.cs" </span><span style="color:red;">Inherits</span><span style="color:blue;">="_Default" </span></span><span style="font-size:85%;"><span style="background: rgb(255, 238, 98) none repeat scroll 0% 50%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;">%><br /><br /></span><span style="color:blue;"><!</span><span style="color: rgb(163, 21, 21);">DOCTYPE </span><span style="color:red;">html PUBLIC </span></span><span style="color:blue;"><span style="font-size:85%;">"-//W3C//DTD XHTML 1.0 Transitional//EN"<br /></span></span><span style="font-size:85%;"><span style="color:blue;">"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><br /><br /><</span><span style="color: rgb(163, 21, 21);">html </span><span style="color:red;">xmlns</span></span><span style="font-size:85%;"><span style="color:blue;">="http://www.w3.org/1999/xhtml"><br /><</span><span style="color: rgb(163, 21, 21);">head </span><span style="color:red;">runat</span></span><span style="font-size:85%;"><span style="color:blue;">="server"><br /> <</span><span style="color: rgb(163, 21, 21);">title</span><span style="color:blue;">></span>Untitled Page<span style="color:blue;"></</span><span style="color: rgb(163, 21, 21);">title</span></span><span style="font-size:85%;"><span style="color:blue;">><br /></</span><span style="color: rgb(163, 21, 21);">head</span></span><span style="font-size:85%;"><span style="color:blue;">><br /><</span><span style="color: rgb(163, 21, 21);">body</span></span><span style="font-size:85%;"><span style="color:blue;">><br /> <</span><span style="color: rgb(163, 21, 21);">form </span><span style="color:red;">id</span><span style="color:blue;">="form1" </span><span style="color:red;">runat</span></span><span style="font-size:85%;"><span style="color:blue;">="server"><br /> <</span><span style="color: rgb(163, 21, 21);">div</span></span><span style="font-size:85%;"><span style="color:blue;">><br /><br /> <</span><span style="color: rgb(163, 21, 21);">asp</span><span style="color:blue;">:</span><span style="color: rgb(163, 21, 21);">Literal </span><span style="color:red;">ID</span><span style="color:blue;">="Literal1" </span><span style="color:red;">runat</span><span style="color:blue;">="server"></</span><span style="color: rgb(163, 21, 21);">asp</span><span style="color:blue;">:</span><span style="color: rgb(163, 21, 21);">Literal</span></span><span style="font-size:85%;"><span style="color:blue;">><br /> <</span><span style="color: rgb(163, 21, 21);">br </span></span><span style="font-size:85%;"><span style="color:blue;">/><br /> <</span><span style="color: rgb(163, 21, 21);">br </span></span><span style="font-size:85%;"><span style="color:blue;">/><br /> <</span><span style="color: rgb(163, 21, 21);">asp</span><span style="color:blue;">:</span><span style="color: rgb(163, 21, 21);">ListView </span><span style="color:red;">ID</span><span style="color:blue;">="lstTrades" </span><span style="color:red;">runat</span><span style="color:blue;">="server" </span><span style="color:red;">DataKeyNames</span></span><span style="font-size:85%;"><span style="color:blue;">="TradeID"<br /> </span><span style="color:red;">DataSourceID</span></span><span style="font-size:85%;"><span style="color:blue;">="LinqDataSource1"> … template markup removed …<br /> </span><span style="color:blue;"></</span><span style="color: rgb(163, 21, 21);">asp</span><span style="color:blue;">:</span><span style="color: rgb(163, 21, 21);">ListView</span></span><span style="font-size:85%;"><span style="color:blue;">><br /> <</span><span style="color: rgb(163, 21, 21);">br </span></span><span style="font-size:85%;"><span style="color:blue;">/><br /> <</span><span style="color: rgb(163, 21, 21);">br </span></span><span style="font-size:85%;"><span style="color:blue;">/><br /> <</span><span style="color: rgb(163, 21, 21);">asp</span><span style="color:blue;">:</span><span style="color: rgb(163, 21, 21);">TextBox </span><span style="color:red;">ID</span><span style="color:blue;">="txtParams" </span><span style="color:red;">runat</span><span style="color:blue;">="server" </span><span style="color:red;">Width</span><span style="color:blue;">="352px"></</span><span style="color: rgb(163, 21, 21);">asp</span><span style="color:blue;">:</span><span style="color: rgb(163, 21, 21);">TextBox</span></span><span style="font-size:85%;"><span style="color:blue;">><br /> <</span><span style="color: rgb(163, 21, 21);">br </span></span><span style="font-size:85%;"><span style="color:blue;">/><br /> <</span><span style="color: rgb(163, 21, 21);">br </span></span><span style="font-size:85%;"><span style="color:blue;">/><br /> <</span><span style="color: rgb(163, 21, 21);">asp</span><span style="color:blue;">:</span><span style="color: rgb(163, 21, 21);">Button </span><span style="color:red;">ID</span><span style="color:blue;">="btnExecuteQuery" </span><span style="color:red;">runat</span><span style="color:blue;">="server" </span><span style="color:red;">onclick</span></span><span style="font-size:85%;"><span style="color:blue;">="btnExecuteQuery_Click"<br /> </span><span style="color:red;">Text</span></span><span style="font-size:85%;"><span style="color:blue;">="Execute Query" /><br /> <</span><span style="color: rgb(163, 21, 21);">asp</span><span style="color:blue;">:</span><span style="color: rgb(163, 21, 21);">LinqDataSource </span><span style="color:red;">ID</span><span style="color:blue;">="LinqDataSource1" </span><span style="color:red;">runat</span></span><span style="font-size:85%;"><span style="color:blue;">="server"<br /> </span><span style="color:red;">ContextTypeName</span><span style="color:blue;">="DriveHaxDataContext" </span><span style="color:red;">TableName</span></span><span style="font-size:85%;"><span style="color:blue;">="Trades"><br /> </</span><span style="color: rgb(163, 21, 21);">asp</span><span style="color:blue;">:</span><span style="color: rgb(163, 21, 21);">LinqDataSource</span></span><span style="font-size:85%;"><span style="color:blue;">><br /><br /> </</span><span style="color: rgb(163, 21, 21);">div</span></span><span style="font-size:85%;"><span style="color:blue;">><br /> </</span><span style="color: rgb(163, 21, 21);">form</span></span><span style="font-size:85%;"><span style="color:blue;">><br /></</span><span style="color: rgb(163, 21, 21);">body</span></span><span style="font-size:85%;"><span style="color:blue;">><br /></</span><span style="color: rgb(163, 21, 21);">html</span></span><span style="color:blue;"><span style="font-size:85%;">><br /></span></span></pre><p></p><p>Default.aspx.cs</p><pre class="code"><span style="font-size:85%;"><span style="color:blue;">using </span>System;<br /><span style="color:blue;">using </span>System.Configuration;<br /><span style="color:blue;">using </span>System.Data;<br /><span style="color:blue;">using </span>System.Linq;<br /><span style="color:blue;">using </span>System.Web;<br /><span style="color:blue;">using </span>System.Web.Security;<br /><span style="color:blue;">using </span>System.Web.UI;<br /><span style="color:blue;">using </span>System.Web.UI.HtmlControls;<br /><span style="color:blue;">using </span>System.Web.UI.WebControls;<br /><span style="color:blue;">using </span>System.Web.UI.WebControls.WebParts;<br /><span style="color:blue;">using </span>System.Xml.Linq;<br /><span style="color:blue;">using </span>System.Diagnostics;<br /><br /><span style="color:blue;">public partial class </span><span style="color: rgb(43, 145, 175);">_Default </span>: System.Web.UI.</span><span style="font-size:85%;"><span style="color: rgb(43, 145, 175);">Page<br /></span>{<br /> <span style="color:blue;">protected void </span>Page_Init(<span style="color:blue;">object </span>sender, <span style="color: rgb(43, 145, 175);">EventArgs </span>e)<br /> {<br /> <span style="color:blue;">this</span>.LinqDataSource1.Selecting += <span style="color:blue;">new </span><span style="color: rgb(43, 145, 175);">EventHandler</span><<span style="color: rgb(43, 145, 175);">LinqDataSourceSelectEventArgs</span>>(LinqDataSource1_Selecting);<br /> <br /> }<br /><br /> <span style="color:blue;">void </span>LinqDataSource1_Selecting(<span style="color:blue;">object </span>sender, <span style="color: rgb(43, 145, 175);">LinqDataSourceSelectEventArgs </span>e)<br /> {<br /> <span style="color: rgb(43, 145, 175);">DriveHaxDataContext </span>driveHax = <span style="color:blue;">new </span><span style="color: rgb(43, 145, 175);">DriveHaxDataContext</span>();<br /><br /> <span style="color:blue;">if </span>(<span style="color:blue;">this</span>.txtParams.Text.Length > 0)<br /> {<br /><strong></strong></span></pre><h3><span style="font-size:85%;"><span style="color:blue;">string </span>sql = <span style="color: rgb(163, 21, 21);">"select * from Trade where DealMember='" </span>+ <span style="color:blue;">this</span>.txtParams.Text + <span style="color: rgb(163, 21, 21);">"'"</span>;</span></h3><pre class="code"><strong></strong><span style="font-size:85%;"> <span style="color:blue;">var </span>trades = driveHax.ExecuteQuery<<span style="color: rgb(43, 145, 175);">Trade</span>>(sql);<br /> e.Result = trades.ToList();<br /> }<br /><br /> }<br /><br /> <span style="color:blue;">protected void </span>btnExecuteQuery_Click(<span style="color:blue;">object </span>sender, <span style="color: rgb(43, 145, 175);">EventArgs </span>e)<br /> {<br /> <span style="color:blue;">this</span>.lstTrades.DataSourceID = <span style="color:blue;">this</span>.LinqDataSource1.ID;<br /> }<br />}</span></pre><p></p><p>Here’s a quick look at results and how SQL injection causes more data to be returned. </p><p>No Parameters:</p><br /><p><a href="http://lh4.ggpht.com/mark.roxberry/SE4DAnUvkrI/AAAAAAAAALY/0eOprFUnw_Y/s1600-h/clip_image006%5B3%5D.jpg"><img title="clip_image006" style="border-width: 0px;" alt="clip_image006" src="http://lh6.ggpht.com/mark.roxberry/SE4DBrEZlgI/AAAAAAAAALc/wyuFLwd7G5U/clip_image006_thumb.jpg?imgmax=800" border="0" height="118" width="244" /></a></p><br /><p>Use a name that I know has a trade, and return data:</p><br /><p><a href="http://lh6.ggpht.com/mark.roxberry/SE4DCaoypyI/AAAAAAAAALg/Qy5BFs8zXRw/s1600-h/clip_image008%5B3%5D.jpg"><img title="clip_image008" style="border-width: 0px;" alt="clip_image008" src="http://lh5.ggpht.com/mark.roxberry/SE4DDgJ46vI/AAAAAAAAALk/dD2LF0Fp12Q/clip_image008_thumb.jpg?imgmax=800" border="0" height="127" width="244" /></a></p><br /><br /><p>Use a simple SQL injection statement, and return more data:</p><br /><p><a href="http://lh4.ggpht.com/mark.roxberry/SE4DENrxcHI/AAAAAAAAALo/HWWD2fKGrYE/s1600-h/clip_image010%5B3%5D.jpg"><img title="clip_image010" style="border-width: 0px;" alt="clip_image010" src="http://lh5.ggpht.com/mark.roxberry/SE4DEtYwVHI/AAAAAAAAALs/qjgV0kURLCQ/clip_image010_thumb.jpg?imgmax=800" border="0" height="157" width="244" /></a></p><br /><p>I only did a query statement for this post; I have repeated this with ExecuteCommand with DML operations.</p><p>As you can see, while Linq has probably reduced the scope of SQL injection vulnerabilities for those who use it, it is certainly not impervious. What hacks and shortcuts have you done for performance? Or because it was too time consuming to learn a new syntax. Linq and its functional programming aspects will be new to many developers. I personally like Linq and think it is a very useful technology, but you should be aware of both its strengths and its weaknesses.</p>Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-76710726611954961062008-05-29T15:04:00.002-04:002008-05-29T15:17:47.453-04:00Project Bullet Points<span style="font-weight: bold;">Introduction</span><br /><ul><li> OWASP.NET story and Who the heck am I?</li></ul><br /><span style="font-weight: bold;">Where we've been</span><br /><ul><li> Timely and targeted content and tools</li><ul><li> .Net and Partial vs. Full trust</li><li> Rooting The CLR</li><li> .Net Assembly Analyzer</li><li> Owasp Report Generator</li><li> Owasp Site Generator</li></ul><li> Great work with content and promotion by Dinis and Mike D, very tactical but maybe unreachable by a non-security developer</li></ul><br /><span style="font-weight: bold;">OWASP .NET SOC 2008 Goals</span><br /><ul><li> Balance highly technical content, tools with content to help developers get on board quickly. </li><li> Provide role based content (e.g. Architects, Developers, Ops, Pen Testers)</li><li> Get the word out. Remind everyone about us. </li><li> Participate in our consituent communities in OWASP, .NET and Security.</li><li> Alt.NET. There is great interest in alternative ideas, methodologies and tools. OWASP .NET can leverage this momentum and attract volunteers from this community.</li></ul> <br /><span style="font-weight: bold;">OWASP .NET Long Term Goals</span><br /> <br /> <span style="font-weight: bold;">OWASP .NET In Action</span><br /><ul><li>Mobilize OWASP .NET resources. Project volunteers can consult technology teams and provide great resources.</li></ul> <span style="font-weight: bold;">OWASP .NET Vulnerability Reviews</span><br /><ul><li>Initiate projects to review community .NET web projects. How do you secure Flexwiki or Community Server? Has anyone pen tested these apps.</li></ul> <span style="font-weight: bold;">OWASP .NET Code Projects</span><br /><ul><li>Next generation of OWASP projects, like Report Generator and Site Generator.</li><li>Guidance and Framework that integrates with ESAPI.NET and other providers (E.g. OpenID). Put it in place, and login controls, access control, auditing/logging/instrumentation visualizers are available.</li><li>Security testing code projects. NUnit and mock objects are useful tools, maybe a security toolset that includes fuzzing objects, common vulnerabilities, injection, FXCop, Owasp objects. SDD - Security Driven Development.</li></ul> <br /><span style="font-weight: bold;">Call to Action</span><br /><br /><span style="font-style: italic;">Join the mailing list</span><br /><br /> Go to the following page <a href="http://lists.owasp.org/mailman/listinfo/owasp-dotnet">http://lists.owasp.org/mailman/listinfo/owasp-dotnet</a> and fill out the section that says is titled "Subscribing to Owasp-dotnet".<br /><br /><span style="font-style: italic;">Join a project</span><br /><br /> <a href="http://www.owasp.org/index.php/OWASP_.NET_Active_Projects">http://www.owasp.org/index.php/OWASP_.NET_Active_Projects </a><br /><br /><span style="font-style: italic;">Submit ideas for research</span><br /><br /> <a href="http://www.owasp.org/index.php/.NET_Project_Wishlist">http://www.owasp.org/index.php/.NET_Project_Wishlist</a><br /><br /><span style="font-style: italic;">Funded Summer of Code projects</span><br /><br /> For example, see SoC 2008: <a href="http://www.owasp.org/index.php/OWASP_Summer_0f_Code_2008_:_Selection">http://www.owasp.org/index.php/OWASP_Summer_0f_Code_2008_:_Selection </a><br /><br /><span style="font-style: italic;">Feel free to contact me with any questions</span><br /><br /> <a href="mailto:mark.roxberry@owasp.org">mailto:mark.roxberry@owasp.org</a>Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-48068383149675248402008-05-23T17:37:00.001-04:002008-05-23T17:37:24.539-04:00European OWASP Application Security Conference <span xmlns=''><p>Chronicling my trip to the Ghent, Belgium to talk about OWASP .NET Project plans, the next couple of blog posts will cover my recollections and impressions. First off, my presentation was fast and furious and while I was a little awkward, trying to get the feel for my audience and the environment, I think I managed to communicate our goals and plans. I had a few people express interest in different things we are doing and I consider that a win, as most of the developers at the conference were Java security pro's. I had to pimp my java skills to get the audience on my side, and not come across as a Microsoft only professional. So, it went well, I have a few references and will be posting more about Anti-Samy for .NET, Open research on community projects and an action plan. Look forward to these posts in the next few days.</p></span>Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-5424812009698394782008-05-17T23:29:00.000-04:002008-05-18T03:03:46.168-04:00OWASP .NET Project Weekly Update (Week Ending 5/17/2008)<strong>Project Reorganization</strong><br /><ul><li>Added <a href="https://www.owasp.org/index.php/WCF_Security_Best_Practices">WCF Security Best Practices</a></li><li>Finished my bullet points or "elevator speech" for the OWASP .NET Project</li><li>Finished my OWASP .NET Project slides for OWASP Europe Keynote</li><li>Finished OWASP .NET Project presentation</li><li>Added / Updated <a href="http://code.google.com/p/owasp-net-content/">OWASP .NET Content</a></li></ul><br /><strong>Media Outreach</strong><br /><ul><li>OWASP .NET Project mentioned at ASPNetPro, in <a href="http://www.aspnetpro.com/newsletterarticle/2008/05/asp200805dk_l/asp200805dk_l.asp">Open Source Security</a></li><li>I've had a few people contact me or Paulo Coimbra who are interested in contributing to the project.</li><li>I'm selectively e-mailing people about the project, letting them know that it's around and what we're up to.</li></ul><br /><strong>This week's plan</strong><br /><ul><li>I'll be in Ghent, Belgium for the OWASP European Conference. I'm on stage for the OWASP Tour keynote presented by Dinis Cruz (I have a couple of slides).</li><li></li><li>I'll write some stuff for the .<a href="http://www.owasp.org/index.php/.NET_Penetration_Testing">NET Security for Penetration Testing</a> pages.</li><li></li><li>I will reach out to the people at the following print magazines, Homeland Defense, ISSA, MSDN Magazine and Code magazine. Maybe they're interested in the project or an article. </li></ul>Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-49943167160725221682008-05-17T02:12:00.003-04:002008-05-18T01:18:25.655-04:00OWASP .NET Recruitment<span xmlns=''><p>I'm looking for anyone who is interested in writing articles or content, or code and tools for the OWASP .NET Project. I've put out a few announcements about the project. The most recent can be found at ASP.NET (Microsoft's ASP.NET site) @ <a href='http://forums.asp.net/tags/OWASP/default.aspx'>http://forums.asp.net/tags/OWASP/default.aspx</a> :<br /></p><p style='margin-left: 36pt'>Hi all,<br /></p><p style='margin-left: 36pt'>We're starting up the OWASP (Open Web Application Security Project) .NET Project Reorganization and I'm looking for your feedback. OWASP is a worldwide free and open community focused on improving the security of application software. The purpose of the OWASP .NET Project is to provide a central repository of information and tools for software professionals that use the Microsoft .NET Framework for web applications and services. The project will try to include resources from Microsoft and from the Open Source community, the Alt.NET community and other related security resources. We're looking for feedback from the ASP.NET community here for projects, tools and articles to help developers secure their code and sites as we redirect our efforts.<br /></p><p style='margin-left: 36pt'>In addition to feedback, if you have time and you're looking to work on projects for .NET security, if you want to write articles, create tools or other projects to help out fellow developers, please join us.<br /></p><p style='margin-left: 36pt'>For more information, feel free to e-mail me @ mark.roxberry@owasp.org or visit our site in progress: <a href='http://www.owasp.org/index.php/.NET_Project_ReOrg_Alpha'>OWASP .NET Project Reorganization (Alpha)</a><span style='text-decoration:underline'>.</span><br /> </p><p>Mark Roxberry<br/>OWASP .NET Project Leader<br/>www.owasp.org</p></span>Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-16304810618641002632008-05-16T00:11:00.002-04:002008-05-18T01:17:55.633-04:00Added WCF 3.5 Security Best Practices<span xmlns=''><p>I added <a href='https://www.owasp.org/index.php/WCF_Security_Best_Practices'>WCF Security Best Practices</a> to the OWASP .NET Site. The content is just a summary of what lives at Codeplex, but OWASP .NET should have references like this attributed to the author(s). I put the checklist up at OWASP; the reader can go to <a href='http://www.codeplex.com/WCFSecurity'>Codeplex</a> the site for more information.<br /></p></span>Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-30653311570049682372008-05-15T23:12:00.001-04:002008-05-18T01:17:36.852-04:00OWASP Summer of Code 2008 Reviewers and Contributors Wanted<span xmlns=''><p>The Summer of Code is in full swing and we're looking for reviewers for projects. I am also looking for contributors for the OWASP .NET Project. For reviewers, there's quite a few projects and compensation, free tickets to the OWASP NYC Conference or 12.5% of the project's stipend (~$300-$600). Here's the recent e-mail from Paulo Coimbra:<br /></p><p style='margin-left: 36pt'>Hello everyone,<br /></p><p style='margin-left: 36pt'>I hope you all are well.<br /></p><p style='margin-left: 36pt'>As you already know, OWASP has awarded 31 grants to promising application security researchers as part of the <a target='_blank' title='blocked::https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008' href='https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008'>OWASP Summer of Code 2008</a> (SoC 2008).<br /></p><p style='margin-left: 36pt'>As a result, I am here again taking your time - we are seeking out for project reviewers so as to have all these projects assessed. <br /></p><p style='margin-left: 36pt'>Consequently, if you are interested in performing such task, please don't hesitate and let us know as soon as possible. As a volunteer organization, we rely absolutely on your contribution. Hence, we lively encourage you to put forward your application to assume this reviewer role. <br /></p><p style='margin-left: 36pt'>To make your decision please look at the following information:<br /></p><p style='margin-left: 36pt'><strong>1.</strong><br/><strong>Where are the projects to review?</strong> These projects can be found <a target='_blank' title='blocked::https://www.owasp.org/index.php/OWASP_Summer_0f_Code_2008_:_Selection' href='https://www.owasp.org/index.php/OWASP_Summer_0f_Code_2008_:_Selection'>here</a>.<br /></p><p style='margin-left: 36pt'><strong>2.</strong><br/><strong>What are the reviewers' main tasks?</strong><br /> </p><p style='margin-left: 36pt'><strong>A</strong>. The main tasks are the result of a set of rules previously established in both the <a target='_blank' title='blocked::https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008' href='https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008'>OWASP Summer of Code 2008</a> initiative and the <a target='_blank' title='blocked::https://www.owasp.org/index.php/Category:OWASP_Project_Assessment#Assessment_Scale_for_OWASP_TOOLS_Projects' href='https://www.owasp.org/index.php/Category:OWASP_Project_Assessment'>OWASP Project Assessment criteria</a> . <br /></p><p style='margin-left: 36pt'><strong>B.</strong> To exemplify, please take into consideration the <a target='_blank' title='blocked::https://www.owasp.org/index.php/Category:OWASP_Skavenger_Project' href='https://www.owasp.org/index.php/Category:OWASP_Skavenger_Project'>OWASP Skavenger Project</a>. <br /></p><p style='margin-left: 36pt'><strong>C.</strong> Simplifying , I would say that the work review will basically consist in certifying that the <a target='_blank' title='blocked::https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications_-_Need_Futher_Clarifications#Skavenger' href='https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications_-_Need_Futher_Clarifications'>project's objectives and deliveries</a> were accomplished and, taking into consideration the <a target='_blank' title='blocked::https://www.owasp.org/index.php/Category:OWASP_Project_Assessment' href='https://www.owasp.org/index.php/Category:OWASP_Project_Assessment'>OWASP assessment criteria</a>, in certifying that the Beta Status was reached. Additionally we expect the reviewer always to be available to provide useful advice to the project developer. These tasks must be performed twice: the first one, the 50% Review, by June 29 and the second one, the Final Review, by September 15.<br /></p><p style='margin-left: 36pt'><strong>D.</strong> Regarding the question of the project status, it is important to clarify that, even though the majority of the projects have to reach Beta status, there are also some others, in which the status target is Release Quality. That is to say, that each project built on previous work done within OWASP (<a target='_blank' title='blocked::https://www.owasp.org/index.php/Category:OWASP_Project<br />Category:OWASP Project' href='https://www.owasp.org/index.php/Category:OWASP_Project'>Existing OWASP Projects</a>) should obtain Reviewers' agreement that a <a target='_blank' title='blocked::https://www.owasp.org/index.php/Category:OWASP_Project_Assessment<br />Category:OWASP Project Assessment' href='https://www.owasp.org/index.php/Category:OWASP_Project_Assessment'>Release Quality</a> stage was achieved. <br /></p><p style='margin-left: 36pt'><strong>3. Who can be a reviewer?</strong> If you are interested in contributing and feeling comfortable with the technical matters in question, you can be project reviewer. We encourage also the OWASP Summer of Code 2008 participants to take part in reviewing someone else's SoC 2008 project. However, please pay attention to the fact that, at least, one of the two Project Reviewers should be an OWASP Project or Chapter Leader. <br /></p><p style='margin-left: 36pt'><strong>4. Will this work be paid? </strong>Well, in terms of paying the market value of your work, we wouldn't dare say 'yes'. However, we will reward this contribution either with a free ticket to attend the <a target='_blank' title='blocked::https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference' href='https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference'>OWASP NYC AppSec 2008 Conference</a> or with 12,5% of the value of the project to be reviewed.<br /></p><p style='margin-left: 36pt'><strong>5.</strong><br/><strong>Where can I find the project's progress page in which I am interested? That is to ask, where can I find the page similar to the <a target='_blank' title='blocked::https://www.owasp.org/index.php/Category:OWASP_Skavenger_Project' href='https://www.owasp.org/index.php/Category:OWASP_Skavenger_Project'>OWASP Skavenger Project</a> one? </strong>Currently, nowhere, but very soon each project will be supplied with its own progress page.<br /></p><p style='margin-left: 36pt'><strong>6.</strong><br/><strong>So, if I am interested in being one of the reviewers,</strong><br/><strong>how should I proceed?</strong><br /> </p><p style='margin-left: 72pt'><strong>A.</strong> Please drop me a line to let me know about your interest. <br /></p><p style='margin-left: 72pt'><strong>B.</strong> I will put you in direct contact with the project's author. <br /></p><p style='margin-left: 72pt'><strong>C.</strong> Having reached the author's agreement, please inform us.<br /></p><p style='margin-left: 72pt'><strong>D.</strong> As all reviewers must have OWASP Board approval, we will inform you as soon as possible about their decision. <br /></p><p style='margin-left: 36pt'>To conclude, having any kind of doubt, don't hesitate and get back to us.<br /></p><p style='margin-left: 36pt'>We thank you in advance, best regards,<br /></p><p>Paulo Coimbra<br/>OWASP Project Manager</p></span>Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0tag:blogger.com,1999:blog-3141405516110014435.post-14917592703235347362008-05-09T22:00:00.000-04:002008-05-10T01:21:28.456-04:00My OWASP .NET Blog Inaugural PostFirst off, this is my blog for stuff for the OWASP .NET Project. It isn't moderated or officially endorsed by OWASP. And anything I write here, is my opinion or experience. Feel free to comment or criticize.<br /><br />That being said, I'd like to use this blog as an online notebook to track progress and capture ideas that aren't necessarily ready for the OWASP .NET Project Wiki. I'd like to use this to preview articles and content and have anyone who is interested give me feedback. I will also use it for announcements about OWASP projects and OWASP events that are relevant to the .NET Project.<br /><br />The status for the .NET Project as of 5/10/2008<br /><br /><span style="font-weight: bold;">Project Reorganization</span><br />I've spent more time on drafts and ideas. I put more links for pages up, but am still working on the content for roles. My draft is becoming more like a guide (and maybe that's what it should be).<br /><br />I started a Google code project, <a href="http://code.google.com/p/owasp-net-content/">OWASP .NET Content</a>, to track content submissions, edits, reviews and archives. Specific status items can be found here. I'll keep it updated and when a critical mass is reached, I'll ping the mailing list. Each task will be listed, and you can get a status of what is being worked on. Feel free to join the project.<br /><br /><span style="font-weight: bold;">Media Outreach</span><br />I worked on the presentation and will put out "talking points" for the project (this is actually the current tasks that I am working on).<br /><br />I'll put a link to the tracking document here. This week I'll send out a letter to the editor for MSDN, Code Magazine and hit up a few of the podcasts to see if anyone is interested. I'll also hit up OWASP again about their podcasting plan.<br /><br />The difficulty I expect to have is that everything is a work in progress and everyone is short on time (this is why I started the Content project on Google Code, to get a good list of completed items to talk about).<br /><br /><span style="font-weight: bold;">Looking Ahead</span><br />Here are a few ideas that I'd like to explore beyond my commitment to the reorganization:<br /><br />1. Measure / Countermeasure research for .NET technologies and platforms<br /><br />I put up a page for <a href="https://www.owasp.org/index.php/OWASP_.NET_Vulnerability_Research">OWASP .NET Vulnerability research</a>. Has any of the stuff that we're putting into play been pen tested or is there sufficient guidance for security? Maybe, but OWASP .NET can be the clearinghouse for testing these projects.<br /><br />2. Developing a Security Framework for ASP.NET<br /><br />One of my personal fears is that as secure as I can make my site, or a client's site, that's all moot if you wander to a site that isn't secure. With the express editions of Visual Studio and the relatively cheap cost to run a .NET / SQL Server web application on a shared server, there's the potential of a lot of insecure code waiting to be exploited. I'd like to distill the SDL to a few checklists and push out a framework that gives a decent secure site. Some of the features that the framework would include:<br /><ul><li>Guidance navigator content (checklists for securing a site or service)</li><li><span style="text-decoration: underline;"></span> Provider model for security API (e.g. <a href="http://www.owasp.org/index.php/ESAPI">ESAPI .NET</a> integration and realization</li><li>Webform and MVC flavors (including web controls using the API)</li><li>Unit tests<br /></li><li>Access Control visualization - start with full exclusion and have an access control visualization for configuration and validation to test the controls.</li><li>Plugin / Provider framework for XSS / SQL Injection / Fuzzing / other vulnerability testing (ala NUNIT for penetration testing)</li></ul>3. Interactive .NET Security Educational Materials<br /><br />I've been using the <a href="https://connect.microsoft.com/Grava">Grav</a><a href="https://connect.microsoft.com/Grava">a</a> beta and it's a pretty engaging tool for education. It's obvious with the recent SQL Injection "worm" that applications are not being tested for basic security flaws. The problem is part tools and part education. And with the next generation of developers coming into the workforce, we have to provide the tools and education (and a discussion about consequences and ethics) to protect our users.<br /><br />Comments are welcome.Mark Roxberryhttp://www.blogger.com/profile/04057868379679678809noreply@blogger.com0