Loading user information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading user information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

  • Oops, something didn't work.

    Getting subscription
    Subscribe to this conversation
  • cheongcheong Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!

    Agreed little useful information can be taken from it.

    In the video, there (probably) useful thing I noticed is:
    1) If you don't concern security in the beginning in the system building, it's likely to cost you expensive lesson.
    2) Once the bad guys got it's way in, it's difficult to get them out.
    3) SQL injection is bad, but can be combated by some validation controls. (If you use the SQL parameter properties, you have some level of defence against this?)
    4) The identity of Session owner should be verified(While I think in ASP.NET, some of the verification is done in Viewstate already).

    Most of them is considered "common sense" for developer. But if the video is called "The Code Room", I think it'd be appropiate to have an add-on video further elaborate these points. (Such as a brief guide on how to actually implement the defense, etc.)

  • LarryOstermanLarry​Osterman

    Mark Brown wrote:
    lars wrote: But next time, get better actors.

    Really? I thought it would be fun to have real developers (in fact, security experts) play the principal roles instread of actors, but if developers think that stinks then I'm not sure what to think. 

    btw, if anyone is curious feel free to Google these guys to find out who they are and what they do. They are definitely NOT actors.  

  • Caleb Sima
  • Duane LaFlotte
  • Joel Scambray
  • Rick Samona
  • Frank Swiderski
  • Keith Brown
  • John Viega
  • Joe Stagner

    Edit: In fact it appears as though three of our cast have appeared here before on Channel 9.

    Frank Swiderski on Threat Modeling
    Duane La Flotte on the Crypto API (or CRAPI as I jokingly call it) Actually I love this API.
    And finally John Viega, via cite by Charles for co-authoring the 19 Deadly Sins of Software Security.

  • Btw, I'm with Mark.  I think that Stagner did a very credible job as host, and it the show was way more real with people who actually had street cred.

    Personally, I think you should have had the hacker team built from guys like David Litchfield and other notable vulnerability researchers (the guys from eEye, etc), but that might be cutting things a smidge close.

    One day, I'm hoping that people will finally understand that every system out there is vulnerable, unless it's been through a rigerous development process like the SDL that builds secure design into the product.  One of the things I absolutely loved about this video is that both of the vulnerabilities presented would have been mitigated with proper threat modeling and analysis. 

    Personally, I wish the video had included another vulnerability like a buffer overflow that was caused by an incorrect use of strcpy() into a stack buffer (which shows that even with proper modeling and analysis, you STILL can't write crappy code).  The nice thing about that particular threat is that the techniques that we've been discussing for years in both Howard, Leblanc and Viega's 19 sins and Howard and Leblanc's Secure Code help to mitigate that threat. 

    But I didn't write the episode, so...

  • Thread Closed

    This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.