Saturday, March 13, 2004

Dev Days

Microsoft's Dev Days event passed through KC this week. I was pleased to have been asked to present at the event, and enjoyed the experience a great deal. In the final web app track session, Rick Kight and I split a presentation discussing Microsoft's entry into eWeek's OpenHack competition.

In 2002, eWeek sponsored a competition in which applications could be submitted, posted on the Internet, and opened up for hackers. Oracle and Microsoft both submitted applications, and Microsoft's withstood the challenge. (The Oracle application did allow cross-site scripting. This isn't a weekness of the Oracle product, just careless coding).

It was interesting digging into a "secure" application and learning various techniques. Most important to me were the input validation and scrubbing techniques. Basically, on any web form, using ASP.NET's validation controls can help prevent a malicious user from submitting script into our application by validating the input to limit what characters are allowed. To prevent malicious input through the query string parameters, a "CleanString" method is used for any and all input. This method scrubs the input before allowing it to be passed to a stored procedure. Also, any output to the pages is passed through a method that HTML-Encodes it.

I also enjoyed visiting with friends and co-workers Dan Fox and Jon Box.

No comments: