Herding Code 75: Barry Dorrans on Developer Security

This week on Herding Code, Barry Dorrans educates, entertains, insults and scares us with his expert commentary on application security, threat modeling, analysis tools and common attacks.  You’ve been waiting for this show.  I just know it.  Listen in as Barry talks security, pimps his new book, and comments on his new position at Microsoft, book burnings, guns, money, proper pronunciation and Jon’s bald head.

  • Scott K shares that public facing applications and services seem to get the least attention when it comes to security – until there’s an audit. Barry talks about the lack of security education and how training should be baked in from the ground up.
  • Jon notes that folks don’t start off projects thinking about security.  First you code and then you worry about the risk.  Barry speaks to the Security Development Lifecycle (SDL) and continuous threat modeling.
  • Scott K asks if there is a security checklist which developers should consult when developing a web application.  Barry references his book, OWASP, CDE and Miter.  Barry states that can’t think like a hacker but you can think about the risks and “what happens if this goes wrong” or “I leak this information” or “there is a cross site scripting attack.”
  • Jon notes there are some security measures which are baked into the .NET Framework.  Barry talks about a defense in depth strategy and the Web Protection Library (WPL.)
  • Barry dives into a few of the security and code analysis tools like CAT.NET and FxCop which are available for Visual Studio.  But how, by the way, no tool offers a silver bullet.
  • Scott K asks where emphasis should be placed when implementing security measures.  Barry responds by putting his security hat on and assuming that all users are scum.  Trust no one!
  • The guys get into encoding rules (when and where), XSS, SQL Injection and Cross-site request forgery.  Jon asks more about the measures built into ASP.NET Webforms and ASP.NET MVC which help prevent attacks.
  • Kevin asks a question about automatic encoding by the framework.  Barry states this is a tricky solution to implement and suggests that frameworks should provide tools but developers should handle the encoding manually. Jon notes the new syntax in MVC 2 which facilitates this approach.
  • Jon asks about testing frameworks and asks Barry for a checklist of steps which developers must complete if they wish to secure their applications.  Barry rattles off a bunch of must-dos actions, pimps his book and pokes fun at American money.
  • The guys talk about RIA, Silverlight and Flash and briefly touch upon security benefits and issues.  And then they discuss social engineering security/privacy issues.
  • Scott K moves away from web applications and services.  What about client applications?  Barry talks about trusted sources, and the .NET and Java sandboxes.  And the guys speak of OS sandboxes and vitualizing applications and Code Access Security (CAS.)
  • Barry talks about FoxPro thanks to a Twitter question from @jglazano and the show finishes up with talk about blue and black hats, security snake oil and scary security stories.  But wait!  Jon remembers he wanted to talk about OpenId and the show continues with a discussion about OpenId, CardSpace and OAuth and OAuth WRAP.

Show Links:

Show notes compiled by Ben Griswold. Thanks!

Download / Listen:

Herding Code 75: Barry Dorrans on Developer Security