Sunday 1 June 2008

System.Security.Cryptography

Complete .Net Cryptography Classes,Interfaces and Enumerations listing from MSDN. Wanted to keep this live on my blog for future references.. Also Check out this article on MSDN [Protecting Private Data with Cryptography Namespaces of the .Net Framework]

intro
1
2
3
4
5
6
Posted by at Sunday, June 01, 2008 0 comments
Labels: ,

Saturday 31 May 2008

Cool MS Security Videos

Check out the  Microsoft  Hello Secure World web site. They have some cool videos on

  • RMS Architecture
  • Symmetric Keys
  • Digital Signatures
  • Cross Site Request Forgery
  • Hashing
  • ASP.Net SQL Injection
Posted by at Saturday, May 31, 2008 0 comments
Labels:

SQL Injection Attacks

Often, the SQL Injection payload is designed in a generic manner to impact on more SQL Databases and Database Servers. The Security loophole in most cases lie in poor design of Data Access Code. Although it can be argued that there is much more to it than securing Data Access Code, I'm talking about the majority of such an attack and how imperative it is to secure the Data Access Code.
The impact of an SQL Injection Attack can be on
- The Database ( contents of the DB are compromised )
- The Users (malware injected directly,Users do not know because they trust this website )
The SDL aka Trustworthy computing Security Development Lifecycle ( a process that Microsoft has adopted for the development of software that needs to withstand malicious attack ) is a good thing to adapt and follow.
"Microsoft's experience indicates that the SDL is effective at reducing the incidence of security vulnerabilities. Initial implementation of the SDL (in Windows Server 2003, SQL Server 2000 Service Pack 3, and Exchange 2000 Server Service Pack 3) resulted in significant improvements in software security, and subsequent software versions, reflecting enhancements to SDL, appear to be showing further improvements in software security" - SDL Conclusion from MS.
Now, a quick look at Securing your Data Access Code, Referred from MSDN SDL Blog and Micheal Howard's Blog(Co-Author of Writing Secure Code).
Use the following in you Data Access Code:
1] SQL Parameterized queries
2] Stored Procedures
3] SQL Execute Only Permission
These are not mere recommendations, They are Requirements!!. More on the nitty-gritty of these techniques can be viewed on the SDL Blog, Micheal Howard's Blog and on the MS Security Research site.
One might argue that SQL Injection Attacks are also mainly due to 'N00b' Developers. This might be partly so. Periodic training for Developers,Testers,Security Analysts on current security issues , best practices from SDL etc is very imperative here. Training is also a strict requirement in the SDL. Afterall, Knowledge is Power, Knowing is dangerous, Knowing is everything...
Posted by at Saturday, May 31, 2008 1 comments
Labels: ,

Thursday 15 May 2008

Rejuvenated Feeling

After being in hibernation mode for quite some time now, mostly because of hectic coursework and uni. commitments. I am quite excited to start blogging again..

Posted by at Thursday, May 15, 2008 0 comments

Thursday 10 April 2008

The Apple iPhone OS 2.0 Beta Drama..

Apple iphone OS 2.0 beta build for developers, which was just 11 days old was rolled back all of a sudden from apple yesterday, and developers were left in the lurch..
i actually did read the posts on the apple forums and couldnt stop laughing..
I've been developing software for smartphones on microsoft platforms using eVC++ (and .net off-late) and in my small world experience, i should say the development tools and the platform itself is very mature and completely robust/programmer friendly.,google 'PPC apps' and check out the kind of apps and support available out there for the windows mobile platform.

I was actually quite impressed with the apple iphone developer showcase with stuff like OpenGL and OpenAL support,MS exchange server integration,the amazing accelerometer , the even more amazing touch screen/gesture input emulation using mouse and keybord inputs while developing ..(http://portablevideogamer.com/category/iphone/) and i loved apple for their sheer software/hardware 'Design' and 'Usability' in all their products till date,but ,i lost the respect i had for apple today...
i was ROTFL when i read the developer nightmare stories, when they woke up one fine morning and see that their OS on the phone is expired!!!!Bwahhahahahhha, what an amazing sci-fi fantasy story...wait a minute, for real now..? bwahahahahahaha....

catch all fun live here..
http://discussions.apple.com/thread.jspa?threadID=1476975&tstart=0
I'm beginning to think that this might be an 'expire_counter = 9'; instead of 'expire_counter = 90;' kinda issue with the iphone SDK team...still wondering..
Posted by at Thursday, April 10, 2008 0 comments
Labels:
Subscribe to: Posts (Atom)