Recently I was accused of being a little 'corporate' in my attitude, which can really hurt a techie's feelings.

The best way to make up for this is to get a really good techie book and read it.

The book I chose was Keith Brown's "The .Net Developer's Guide to Windows Security".

Read it in a day!

I can't speak highly enough of this publication - not only was it concise, illuminating and educational, it was also well written! This guy certainly has the gift of teaching, and was very enthusiastic.

What I personally got from this book was a really good understanding of the authentication that takes place with any web application, and how to make the identity flow across the network. This is something that catches out a lot of developers. Often the question is asked "why was a null session used to access the database"? Well, the answers are all here.

It has great coverage of the new .Net features of 2.0, which seem to be mostly accurate (even though the book was written with beta 1).   more »

It's a common misconception that querystrings are not protected by SSL. Many developers go to great lengths to protect the data (encrypting the contents, POSTing a form instead) because they think that a network monitor can pick up the querystring data.

This is actually a misconception. SSL strips the querystring off and places it into the encrypted data block.

Nobody can then see your querystring data.

Here are some references:

http://www.owasp.org/documentation/appsec_faq.html
http://www.ourshop.com/resources/ssl_step1.html
http://msdn.microsoft.com/chats/transcripts/net/vstudio_030702.aspx

The real reason for avoiding placing information in the querystring is that it's easier for the logged on user to hack the querystring. Also, if you send someone a link to a page, then it's also possible that you're sending them some personal information (if that web site wasn't developed with security in mind).

There's a useful discussion here:

http://blogs.msdn.com/cjacks/archive/2005/08/31/458571.aspx   more »

I contribute to a number of forums, answering questions (my username is oldbear). On all of these forums, there are many posts asking questions on communicating with SQL Server, and the same answers are always needed. I thought I'd put something down here for good practice, and then refer people from the forums to this article. In the meantime, anyone who disagrees can add a comment below. Here we go.   more »

I've been preparing an online talk for the Visual Basic User Group on Code Access Security. This will be the first online presentation for VBUG, and Tim Leung and I will be using Live Meeting software.

An online talk with Live Meeting is very different to a presentation in front of a room full of people. Here are some guidelines:
Forget about animated graphics, as the redrawing on the audience PC is too slow
Set 16 bit colour    more »

Last week was the Microsoft Connect Event 2006, held in the Four Seasons Hotel in Nice. I was very flattered to be invited, and had a great time. I met some really fun and committed developers to discuss what's happening with MS and security. I also stayed in the poshest hotel I've ever seen (cheers Microsoft!). Thanks to Marcus, Melita, Josefine, Simone, Hans and Urs for all you did.

It really was non-stop, with discussions and presentations back to back. There was a talk by Rafal Lukawiecki on the holistic approach to security, which really is the core of IT security. Rafal managed to discuss risk in a very engaging way, which is not easy.

Alexander Holy and Hans Veerbeck spoke about Windows Vista and Internet Explorer 7. Even though the focus was on security, I was really impressed with the UI for Vista. I've been following security for Longhorn for a year and a half now, and was impressed with what was shown. The Trustworthy Computing Security Development Lifecycle has been applied to this product, and so this will raise the security baseline for the comingversion of Windows.    more »