MarkItUp

At Readify, we get involved in a lot of audit/review style engagements.  Performance reviews, Architecture reviews, Database reviews and Security reviews.  Internally we now have some useful documents floating around that describe the things that should be done an these kinds of engagements.  Today, while browsing Robert Hurlbut's blog I discovered that he has also published a checklist of things to do when engaged on a security audit:

    Security Code Audit

In addition to that he also linked to an article by Michael Howard which describes some common ways to perform security reviews on code:

    A Process for Performing Security Code Reviews

To provide a full service, Web 2.0 sites need to be able connect to external sources - such as the PageFlakes portal which exposed a Gmail web part that I showed the other day.  Other external sources might include:

• Map data from Google
• Wishlist information from Amazon
• Photo's from Flickr

To be able to connect to these services requires authentication information to be passed around and so it is likely that Identity will become a major topic of discussion sooner rather than later so that we can achieve a form of single sign on across the web.  The buzzwords in this space at the moment are: Web 2.0, Identity 2.0, LAMP, SAML, Passport, and Infocard.

If you'd like to learn more about the issues surrounding Identity 2.0 I'd behoove you to download the following presentation and watch it:

    http://www.identity20.com/media/OSCON2005/

The format of the presentation has been talked about quite a bit throughout the blogsphere and so it's probably worth watching it just for that :-)

Security Quote of the Day

Your identity is your most valuable possession.  Protect it.  And if anything goes wrong, use your powers.

Elastigirl

I was doing some research about Web 2.0 over the weekend for my book and while browsing across the various Web 2.0 sites it struck me that some of them are doing some very interesting things with data - notice that I didn't say "Good Things"... just interesting things.

First I was looking for Web 2.0 portals and came across this one:

http://www.pageflakes.com/

After fiddling around with that portal for a while and "walking away" with an astonished look on my face I came across this popular site:

http://www33.meebo.com/

Again, total amazement!

So let me get this again... they want me to key my username and password for other sites into forms on their site?  Err, yeah... right!

Rocky has written a great, common-sense style article about security with respect to securing inputs and outputs.   I had just finished reading it and started working through some ATLAS hands-on-labs.  The first sample that I ran through was showing how to accept some text input from a user and pass it to a WebMethod from the client machine.  Here is step 3 of that excercise:

·         Change the method to accept a single string parameter.

·         Encode the string passed to the service to protect against scripting attacks.

·         Format the input string as a message. For example, format the string to return Hello, you queried for {0}.

·         Append the current date and time to the string.

·         Return the string.

Way to go Rock and the ASP.NET Team!