The workshop was actually really good, and I’m pleased to have attended. Normally when you go to one of these Microsoft-sponsored events, especially during launch time, the ‘training’ turns out to be 90% spiel on the newest release and why you should get it, and 10% actually useful information. This one, however, was quite the opposite.
The first presenter was Dennis Hurst, Senior Consulting Engineer from SPI Dynamics. This part was primarily focused on going over the primary vulnerabilities of the major layers in Web technology; application, network and protocol. Then he went on to list the primary ways to secure those vulnerabilities. The most startling part of this section was when he used a proxy program to intercept and alter any part of the HTTP request, thereby exposing various server holes. Then, using another utility which is freely available to hackers, he demonstrated how, using SQL injection (both blind and regular), he could essentially steal the data from an entire database in seconds. That really made me sit up and take notice. As a web developer, you often hear about SQL injection, cross site scripting and request interception, but to see it and how easy it is is pretty scary. However, now I have a really solid understanding of how to protect my apps from these attacks. The simplest of these is to just use SQL stored procedures for all CRUD (create read update delete) functions, and use custom errors. Although it’s not foolproof, it makes things that much more difficult, and if you’re difficult enough, maybe they’ll move on to an easier target.
The next presenter was Talhah Mir, Security Technologist for Microsoft. His presentation concerned web application threat analysis. Most of the threat and risk assessments are a function of intuition and experience. Mr. Mir demonstrated how you could break down the objects, roles and functions within an application, and create a very systematic threat matrix, and furthermore map each threat to a business impact. This is really important, because your business-focused clients or team members do not have to have technical security knowledge in order to clearly understand the impact of not dealing with potential threats.
The last presenter was Jeffrey Richter from Wintellect. His presentation seemed to be primarily focused on his product line, so that’s when I ducked out. It was the last half hour of the 4 hour session, so all in all I think it was a worthwhile topic. I’ve already started evangelizing at my work about the necessity of implementing security in web applications throughout the entire development cycle, not just an afterthought as it is now. I only hope that it’s not falling on deaf ears. It was ironic that not four days later, I was pulled into a meeting between my group and the data design group. One of our developers on a project was resistant to implementing stored procedures in the application despite the standards that the data group are trying to implement. I expect that I was pulled in to back my group’s side, but that certainly backfired. On the up side, I know have the undying respect and gratitude of the data group, so it’s not all bad.