Microsoft has just released their new Anti-XSS library which helps developers do the right thing more often without as much effort as before.
If you are interested in this (and trust me, you are) your first stop is to go to the tutorial and see how it is done. As you will see it isn’t stupid simple, but an improvement.
Once you get confortable then go to the official page and download the library and make it part of all your web projects.
Category Archives: Development
Code Camp 6 in Waltham, MA
Code Camp 6 is tomorrow at the MS office in Waltham and this is the first one since the original world premier Code Camp that I am going to miss.
With Thom Robbins moving on to Redmond and the rush of business that everyone seems to be seeing, this 6th edition didn’t come together nearly as early as previous editions.
I apologize for not making it, but since it is slimmed down to a single day this time and I specifically have a conflict tomorrow, I won’t be there.
I expect we will do a better job for Code Camp 7 and provide much more advanced warning and I will do my best to defend the date 
.Net Best Practices Source
I have been casting about for .Net Best Practices and came across Adam Cogan’s lists of how to do pretty much everything. The funny thing is that I have known Adam for years and was aware that he had compiled quite alot of information on his site, but until I started to dig through it I hadn’t realized just how much is there.
If you are trying to codify your companies “how we do it here” then make sure you check out Adam’s site.
VS2005 Licensing Explained (Finally)
I normally don’t post twice in one day, but this blog post by Rob Caron was VERY helpful in understanding VS2005 licensing and the relationship between the products. I expect it will help alot of people grasp it since I get asked this question a fairly often in my roaming.
Thanks Rob and Enjoy!
ASP.Net 2.0 Information Disclosure bug…
I was just thinking about one of the bugs listed in the latest hotfix from MS and realized that while aspx and config files are not at risk since they are mapped to aspnet, the express database if stored in App_Data probably is.
We don’t typically use SQL Express, but my bet is that this is the greatest risk factor for this bug. Thoughts?
RC1 of the Threat Analysis & Modeling V2.0 is out
If you are into threat modeling (and you should be) then you should check out the latest version of the product formerly code named “Torpedo”. I think this is the first product to make real strides (bad pun intended) toward making threat modeling more approachable for the average developer.
Get it at:
http://msdn.microsoft.com/security/securecode/threatmodeling/acetm/
Membership Provider DB Install Scripts
At Code Camp 5 in Waltham this past Sunday I was delivering my session entitled “All you need to know about Membership”, when I learned that I didn’t know everything I need to know about membership.
Someone asked if the scripts were available that aspnet_regsql.exe uses to create the membership table. My answer was that I hadn’t seen them so I assumed they were baked into the exe. WRONG! Our good buddy and fellow Code Camp presenter, Dan Krhla, pointed out that in the same directory that you find the aspnet_regsql.exe (namely C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727) you also find the scripts that the tool users including InstallMembership.sql. There are a bunch of them and you have to install them in order (installcommon.sql first, etc.). They offer some good insights and I have already spent a bit of time on them myself.
Thanks again Dan and I am happy that the question came up so I could learn something too. This is why I really love the Code Camp.
VB6 on Vista
MS has committed, at some level, to support VB6 on Vista. In an article from February there are some details, but we now know that if you have a VB6 application that you cannot live without, you will probably be OK for years to come.
This is both good news and bad news. While I feel the pain of people who depend on these legacy tools for their products to work, I can’t help wincing when I see this because old tools support old techniques and technologies that are often just not up to the task of building secure applications. Everything from cryptography to SQL Injection have evolved as have the tools to combat them.
If you are using / depending on VB6 then congratulations, but my advice is to get off of it (from a seasoned VB developer) unless you can really and truly convince yourself that it poses no weaknesses in security based on your use of it. Eventually you will have to jump.
ASP.Net Application Pool Gotcha
Sharing a web server between development teams is always fun (not). We had a problem surface today (or resurface) where if a developer creates a web application on IIS that uses .Net 1.1 for example (not an uncommon occurance) and some other developer creates a web application on that same server but this second one uses .Net 2.0 (something becoming more common every day). Odds are that the developers and even sometimes the network engineer or web master will allow the defaults to lull them into the false sense that it was an easy and straightforward task.
The problem is that they both allowed the “Default Application Pool” to remain selected and now the second of these sites to load will crash IIS.
You can’t have two different versions of .Net loaded into the same process and Application Pool often (though not always) means the same process.
Scott Forsyth has an article about this very issue that will help describe the error that occurs when you have this problem (the “Server Application Unavailable” error).
If you haven’t seen this yet, then you will.
Membership Provider Source Code
Scott Guthrie pointed me at a link to the source code for the ASP.Net 2.0 providers including the Membership and Role Management providers. While I think the Profiles, Web Parts and Site Navigation providers are important and cool, I expect to do much more with the Membership provider. Expect to see some customizations in presentations I give in the future.
I think this is a great step and am not surprised to see Scott doing something this cool.
Check it out!