16 minutes read

Input Validation: The Good, The Bad, and the What the Hell are you Doing?

Good morning class! Pop quiz: How many of you do proper input validation in your ASP.NET site, WebForms, MVC, or otherwise? Some Background There is an axiom in computer science: never trust user input because it’s guaranteed to contain invalid data at some point. In security we have a similar axiom: never trust user input because it’s guaranteed to contain invalid data at some point, and your code is bound to contain a security vulnerability somewhere, somehow. Granted, it doesn’t flow as well as the former, but the point still stands. The solution to this problem is conceptually simple: validate,…

31 minutes read

Tamper-Evident Configuration Files in ASP.NET

A couple weeks ago someone sent a message to one of our internal mailing lists. His message was pretty straightforward: how do you prevent modifications of a configuration file for an application [while the user has administrative rights on the machine]? There were a couple responses including mine, which was to cryptographically sign the configuration file with an asymmetric key. For a primer on digital signing, take a look here. Asymmetric signing is one possible way of signing a file. By signing it this way the configuration file could be signed by an administrator before deploying the application, and all…

6 minutes read

Find my Windows Phone 7

For the last month and a half I’ve been playing around with my new Windows Phone 7.  Needless to say, I really like it.  There are a few things that are still a little rough – side-loading application is a good example, but overall I’m really impressed with this platform.  It may be version 7 technically, but realistically its a v1 product.  I say that in a good way though – Microsoft reinvented the product. Part of this reinvention is a cloud-oriented platform.  Today’s Dilbert cartoon was a perfect tongue-in-cheek explanation of the evolution of computing, and the mobile market…