Estimated reading time: 8 minutes

Introduction to Windows Azure Active Directory Federation Part 1

Earlier this week Microsoft released some interesting numbers regarding Windows Azure Active Directory (WAAD) authentication. Since the inception of the authentication service on the Windows Azure platform in 2010, we have now processed 200 BILLION authentications for 50 MILLION active user accounts. In an average week we receive 4.7 BILLIONauthentication requests for users in over 420 THOUSAND different domains. […] To put it into perspective, in the 2 minutes it takes to brew yourself a single cup of coffee, Windows Azure Active Directory (AD) has already processed just over 1 MILLION authentications from many different devices and users around the…

Estimated reading time: 11 minutes

Study of Commercially Deployed Single Sign On

Microsoft Research published a paper sometime last month analyzing Single Sign On services hosted by various commercial entities. Go Read it: Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. The paper had been sitting on my desk for a couple weeks (literally) before I had a chance to read through it. It actually made it’s rounds through the company before I had a chance to read it. In any case, I thought it would be good to post a link for people to read because it outlines some very…

Estimated reading time: 16 minutes

Input Validation: The Good, The Bad, and the What the Hell are you Doing?

Pop quiz: How many of you do proper input validation in your ASP.NET site, WebForms, MVC, or otherwise? Some Background There is an axiom in computer science: never trust user input because it’s guaranteed to contain invalid data at some point. In security we have a similar axiom: never trust user input because it’s guaranteed to contain invalid data at some point, and your code is bound to contain a security vulnerability somewhere, somehow. Granted, it doesn’t flow as well as the former, but the point still stands. The solution to this problem is conceptually simple: validate, validate, validate. Every…

Estimated reading time: 13 minutes

The Importance of Elevating Privilege

The biggest detractor to Single Sign On is the same thing that makes it so appealing – you only need to prove your identity once. This scares the hell out of some people because if you can compromise a users session in one application it’s possible to affect other applications. Congratulations: checking your Facebook profile just caused your online store to delete all it’s orders. Let’s break that attack down a little. You just signed into Facebook and checked your [insert something to check here] from some friend. That contained a link to something malicious. You click the link, and…

Estimated reading time: 1 minute

Talking about Security Article Series

Over on the Canadian Solution Developer’s blog I have a series on the basics of writing secure applications.  It’s a bit of an introduction to all the things we should know in order to write software that doesn’t contain too many vulnerabilities. Obviously it’s not a series on everything you need to know about security, but hopefully it’s a starting point.  My goal is to get people to at least start talking about security in their applications. This is the series: Part 1: Development Security Basics Part 2: Vulnerability Deep Dive Part 3: Secure Design and Analysis in Visual Studio…