DevDays, March 16, 2004 - Atlanta, GA

I just got back from DevDays in Atlanta only to find out I left my house keys in the hotel room.  However, it was well worth it.  There were two tracks available, ASP.NET Security and Smart Client Applications and I attended the former session with my friend and fellow employee Adam Gilstrap. 

For a while now, we've been hearing that Microsoft has really started to emphasize security and today I got a feel for how serious they are about it. 

We arrived at the Galleria where it was held around 7:00 am.  Registration was a breeze and your standard breakfast fare was there.  I was up pretty late last night watching “Kill Bill” so I had to overload on caffeine to get going, but by 8:00 I was ready to go.  The accomodations were nice and the Galleria is a great place.  The only gripe I have is that I don't think it's possible to find more uncomfortable chairs.  Other than that, the surrounding were great.  As far as the 'grab bag' goes, it's packed full of cool stuff.  No t-shirts, but there was a bunch of cool software and utilities so that made up for it.  Moreoever, all of the code discussed at DevDays was included on CD-Rom.  That's way cool considering that most of the security code that was discussed can be copied and pasted directly into existing apps.  If they'd have had this a year ago, I could have just use the code they included and pretended to be busy for two months, all the while building some stuff that would make me look like an all-star. 

Everything started out with your basic “Security is important” speech and they reviewed Windows XP Service Pack 2 and what we can expect with it.  A few of the features mentioned include: Firewall on by default, email won't assume attachments are safe , web ui Spoofs will be totally obvious, there will be  a “Never” feature for those annyoning “Trust Content from AnnoyingCompany” popups and plenty more.  It's still in beta but scheduled to be released soon.

Shortly therafter, http://www.wintellect.com/about/instructors/ Jeff Prosise discussed threats posed in ASP.NET applications.  I've been a big fan of the guys at Wintellect for a long time, and have purchased just about every title one of their guys has written.  I've read and enjoyed two of Prosise's books, but seeing him speak in person was a real treat.  About 10 minutes after he started, paranoia started kicking in and I started trying to remember if I crossed all of my 'i's and dotted all of my t's at two of the sites I've built.  Fortunately, I had all of the big issues covered, but I quickly came to realize there's ALWAYS room for improvement.

Afterward  we were treated to some speakers from RDA (a very impressive crew although I hadn't heard of them before), and The Ken Spencer.  He acknowledged that he's currently 52 years old, which is really amazing conisdering his command of different technologies.  Well, I have 20 years to go before I'm his age, and if I'm half that knowledgeable, I'll be quite pleased.

Ken spoke on a little different topic and addressed SQL Server 2000 Reporting services in particular.  This stuff was cool and from what I saw, start shorting your Seagate stock.  In addition, we learned about some of the new stuff MS has in store from us, and it was cool. 

The endnote was a walk through of Whidbey and what's in store.  I was amazed at how much is changing in ASP.NET 2.0.  The speaker said one of the design goals for ASP.NET 2.0 was to reduce the amount of code needed for an application by 70%.  Sure sounds great right?  Well, I from what I saw today, it's probably  benchmark that's going to be met. 

Instead of going through a play by play of everything, let me synthesize what I got from the discussions:

1)  Dynamic SQL is not only evil, it's PURE Evil.  Don't use it.  One of the speakers recommended deleting any code you have if it contains Dynamic SQL.  Then, after you've deleted it, he recommends emptying your recycle bin so it's nowhere near you.  The jury's returned and the verdict is unanimous, there's NO PLACE FOR DYNAMIC SQL IN modern programming unless you don't care if your database gets destroyed or made public.  Use Stored Procedures if possible, and if you can't for some reason, make sure you use Parameters!

2)  Validate everything.  I 'thought' I had a good grip on security, but I learned a few things that were real eye openers.  Think your client side validation is enough?  Try turning off JavaScript and get back to me on this.

3)  Encrypt Everything!  If they can't read it, they can't use it against you.  Enough said. And remember, HASH and SALT are good for you.

4)  Recover Gracefully!  Structured Exception handling is one truly great feature of .NET.  However, you really don't want to publish ex.ToString() anywhere someone can see it.  Exception messages can easily give an attacker all the information they need to really do you in.

5) Learn HttpUtility.HtmlEncode

6)  Keep learning.  Hackers are getting better and worse, they're getting faster.  If you don't keep up to date on current threats, and you don't keep service packs and patches up to date, you're in for an ugly date with destiny.

I'm going to fill in the gaps with all of the specific examples (which is going to take a while, there was a lot of material) and should have it up tomorrow.