SDL Regex Fuzzer
Filed under: Development, Security
Updated 11/2/2010 Microsoft has released a new "Free" tool called the SDL Regex Fuzzer. You can download the tool from Microsoft's Download Center here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c-52d3-4291-9034-caa71855451f. The Regex Fuzzer is used to test regular expressions to see if they are vulnerable to Denial of Service Attacks (ReDoS). A Regular expression denial of ...
Microsoft SDL Version 5 Released
Filed under: Development, Security
The latest update to Microsoft's Security Development Lifecycle (SDL) was released on March 31, 2010. You can download the Microsoft SDL V. 5 from here. This version has many updates around agile SDL practices. Building a secure SDLC is a priority concern for many development organizations today. Microsoft ...
ASP.Net Custom Headers
Filed under: Development, Security
Have you ever taken the time to look at the headers that are returned from your ASP.Net application? If you have, you may have noticed the following two headers that are added for ASP.Net: X-Powered-By: ASP.Net X-AspNet-Version: x.x.xxxx (the version of .Net used for the application) Many people ask how to remove these two headers from the ...
Security Abstraction: How much is too much?
Filed under: Development, Security
I was having a conversation the other morning with a colleague and we were discussing how much security an enterprise web application developer should be exposed to. This topic has come up in numerous conversations over the past year or so and it is still debatable. The question is how much abstraction should, ...
Simplified SDL
Filed under: Development, Security
Last week Microsoft provided a document outlining a 'Simplified Implementation of the Microsoft SDL'. This document provides the required information for minimum SDL compliance. At 17 pages, it is a quick, yet detailed, read. The Secure Development Lifecycle is not just for Microsoft projects, and can be used with any language. Microsoft has even updated ...
Securing If Statements
Filed under: Development, Security
While recently reviewing the details of the GSSP-.NET certification, I came across the topic of “securely formed if and while statements.†At first, I was a little confused about what this really meant. I believe that a securely formed ‘if’ statement would be one that has the constant on the left, rather than the right. ...
HTMLAttributeEncode Framework differences
Filed under: Development, Security
I have done a few posts regarding Cross Site Scripting and how to protect against it. I came across an interesting item today comparing the output of HTMLAttributeEncode between .Net 1.1 and 2.0+. I thought it would be a good idea to dig a little deeper into how the encoding really works. The .Net 1.1 ...
Creating the Reply With Meeting OL2007 Add-In (Part 1)
Filed under: Development
Note: This is the first part, in a multi-part series to create this add-in. I chose to break this up into multiple parts so some parts (like this one) could be used by anyone creating an add-in. This post will only create the add-in shell and will not show how to reply with a meeting. ...
Follow Us
