SEARCH RESULTS
 
Showing 1-10 of 123 records
 
Expand article

PrincipalPermissionAttribute and Static ctor Leads to DoS

2007-12-03 09:03:00 by Keith Brown in Security Briefs
 
I recently heard a colleague lamenting that he was having difficulty using PrincipalPermissionAttribute at the class level in a certain scenario under WCF. I recommended caution in my guidebook , because of the nasty type load exception that you can run into if the first request to the class is denied by the attribute Be careful about using this...
 
Tags: class sensitive, sensitive, class, class level, static constructor, inside static constructor, class program, static constructor leads, static void
 
 
 
 
Expand article

The Austin Project

2008-01-21 22:45:39 by RSnake in ha.ckers.org web application security lab
 
Two days ago I found myself reading something written by one of my readers about something I had written. Unfortunately, it not only completely missed the point of what I had talked about, but some dramatic and ultimately incorrect assumptions were drawn due to complete lack of technical understanding on this readers part. Im not going to out...
 
Tags: people, competent people, project, helps people focus, austin project, austin project web-page, security, web application security, site
 
 
 
 
Expand article

SDL Training

2008-05-29 15:22:00 by sdl in The Security Development Lifecycle
 
Hi everyone, Shawn Hernan here. Being a security guy is incredibly rewarding because you get to look at virtually any part of a product, from kernel drivers to web services to user education to sales and servicing. You have to do that because a failure in one of those areas can endanger the security of our customers. Microsofts SDL process...
 
Tags: real behavior change, behavior, sdl, change peoples behavior, security, security guy, security defects, defects, security class
 
 
 
 
Expand article

Web 2.0 Security - The Beginning of the End or The End of the Beginning

The Article has images
2008-05-29 15:26:12 by Gunnar Peterson in 1 Raindrop
Given past performance of software security, its hard to be optimistic where things are going wrt Web 2.0 security. Granted when Web 1.0 was built out did not have the ability to use static analysis to find vulnerabilities, we didn't have good identity standards and so on. So are we at a new a beginning where new tools and mechanisms will save...
 
Tags: people, software security people, software security, software security team, security, security people, web, security support, architecture
 
 
 
 
Expand article

Better exception reporting in ASP.NET part 2

2008-08-04 14:11:14 by keith-brown in Security Briefs
 
This is the third post in a series The first post described the problem: ASP.NET wasn't reporting inner exception stack traces The second post described my solution This post shows the code I used to solve the problem: a custom email provider for the Health Monitoring system in ASP.NET. Enjoy Here's the provider. Note that I opted *not* to build...
 
Tags: return, return subjectbuilder, return formatter, exception, formatter, crazy formatter, static void, static void emitprocessinfo, return null
 
 
 
 
Expand article

Serializable XmlDocument

The Article has images
2008-08-19 02:58:00 by keith-brown in Security Briefs
It's surprising that XmlDocument isn't marked [Serializable], because it's very natural to serialize one into a stream. I wanted to put an object into ASP.NET ViewState the other day, and quickly ran into this roadblock, because part of the object included an XmlDocument, which is not serializable. A quick search revealed that most people deal...
 
Tags: public class item, public, public void getobjectdata, public static byte, xmldocument, return doc, return, static byte, public class
 
 
 
 
Expand article

Identity Framework Probable Feature List

The Article has images
2007-12-16 06:42:00 by Keith Brown in Security Briefs
Vittorio has just concluded a series of posts where he's sharing a sneak preview of the Identity Framework (Fx for this post). Based on what he's shown and his descriptions, I've put together a little list of some features we can probably expect from the Fx. This is all pre-alpha stuff and the API will probably change, but the core features...
 
Tags: informationcard login control, login control, information card serializer, information, control, user authentication methods, user, custom sts, card
 
 
 
 
Expand article

Fly through airport security with Clear, but you don't have less security?

The Article has images
2008-06-04 12:26:56 by HASH0x8b3dfdc in StillSecure, After All These Years
A couple of weeks ago I was offered a free year membership in the Clear airport security program for registered travelers. Though my home airports of Ft Lauderdale and West Palm Beach don't yet offer Clear access, I fly enough in airports that do like Denver and Regan that I thought for free, what do I have to lose. I filled out the forms on...
 
Tags: security, security line, airport security program, line, security procedures, background check, check, security obligations, background
 
 
 
 
Expand article

Fly through airport security with Clear, but you don't have less security

The Article has images
2008-06-04 13:26:24 by ashimmy in StillSecure, After All These Years
A couple of weeks ago I was offered a free year membership in the Clear airport security program for registered travelers. Though my home airports of Ft Lauderdale and West Palm Beach don't yet offer Clear access, I fly enough in airports that do like Denver and Regan that I thought for free, what do I have to lose. I filled out the forms on...
 
Tags: security, security line, airport security program, line, security procedures, background check, check, security obligations, background