Securing If Statements
Filed under: Development, Security
While recently reviewing the details of the GSSP-.NET certification, I came across the topic of “securely formed if and while statements.†At first, I was a little confused about what this really meant. I believe that a securely formed ‘if’ statement would be one that has the constant on the left, rather than the right. ...
HTMLAttributeEncode Framework differences
Filed under: Development, Security
I have done a few posts regarding Cross Site Scripting and how to protect against it. I came across an interesting item today comparing the output of HTMLAttributeEncode between .Net 1.1 and 2.0+. I thought it would be a good idea to dig a little deeper into how the encoding really works. The .Net 1.1 ...
Microsoft Introduces Quick Security References
Filed under: Security
Yesterday, Microsoft released two new Quick Security References (QSR’s) to help application development teams understand Security issues. These new guides are the first part of a continuing series to help multiple roles within the team understand common vulnerabilities. Not only do they provide great detail on the security issues, but they also help teams move ...
Creating the Reply With Meeting OL2007 Add-In (Part 1)
Filed under: Development
Note: This is the first part, in a multi-part series to create this add-in. I chose to break this up into multiple parts so some parts (like this one) could be used by anyone creating an add-in. This post will only create the add-in shell and will not show how to reply with a meeting. ...
Protecting against Cross Site Scripting
Filed under: Security
One of the most important defenses against cross site scripting is encoding the output. The .Net framework provides built in routines for you. These methods, HTMLEncode and HTMLAttributeEncode, can be found in the HTTPUtility class. It is very easy to implement these methods and they should be used on all output that is un-trusted (ie, ...
CAT.NET Microsoft’s Code Analysis Tool
Filed under: Security
Microsoft has introduced a new code analysis tool called CAT.NET to help analyze source code for security flaws within managed applications. This is a visual studio add-in that works directly within Visual Studio, so there is no need for separate programs. The tool will trace through all statements, methods, and assemblies referenced within the application. ...