Come along on the 12th April for a full day of presentations and demonstrations surrounding the real world implications of the most common .NET web techologies: learn about the best practices, issues, gotchas, etc.
Bring along your questions and problems to gain assistance in finding solutions.
AGENDA08:45 Registration
09:00 Hacking websites for fun and profit
10:30 Break
11:00 Securing applications and communications in ASP.NET
12:30 Lunch
13:30 Code Access Security - in-depth explanation and design pattern for web applications
15:00 Break
15:15 Securing Web Services with WS-*
16:45 Break
17:00 Managing Identity using Windows Cardspace
18:30 Close
- These are rough timings. Some session may end earlier or run later. We aim to shape the day around people's need, not a time schedule!
Hacking websites for fun and profit
Presented by Barry Dorans
How safe are your web sites?
Do you know what cross site scripting is?
SQL injection attacks?
Search engine leaks?
Learn how to check your sites for nasties by seeing how it's done against badly written code and what you can do to secure your sites.
Securing applications and communications in ASP.NET
Presented by Barry Dorans
This session aims to provide you with recipes to secure your asp.net application architecture, be they internet, extranet or intranet exposed. Covering authentication and authorisation strategies, identity management, securing communications, secrets, viewstate and more the session will discuss common best practices for secure architecture of ASP.NET applications.
Code Access Security - in-depth explanation and design pattern for web applications
Presented by Chris Seary
Chris has implemented CAS in several secure enterprise scale web applications. This talk will explain how CAS works, and also give details of a design pattern for implementing CAS in web applications.
We start by showing a web site being hacked, and then alter the application to stop the hacker while preserving the full functionality of the web site. We also look at OneClick and how it uses Partial Trust.
Securing Web Services with WS-*
Presented by Chris Seary
Why use WS-Security - surely IPSEc and SSL will secure our site?
Actually, WS-* specifications provide functionality that network protocols do not.
We look at what WS-Security can add to web service security, and go through a good deal of sample code (which will be available to download).
This presentation covers both WSE and WCF. We also look into WS-Federation, and how it is to authenticate users from different domains.
Managing Identity using Windows Cardspace
Presented by Barry Dorans
Windows CardSpace is a framework developed by Microsoft which securely stores digital identities of a person, and provides a unified interface for choosing the identity for a particular transaction, such as logging in to a website.
This talk will cover how CardSpace works, how it can be used within ASP.NET applications and how you can implement your own trusted cards.
BIOS
Barry Dorrans has spent 15 years cutting code, starting with mainframes, through DOS, Visual C and MFC before finally ending up on the .NET platform. His experience has ranged from banking systems to Europe's largest streaming network. He now mentors developers through .NET migrations and Expert Witness services with Charteris plc ( http://www.charteris.com).
Chris Seary has been awarded the Most Valued Professional (MVP) award by Microsoft for his contributions to the field of application security. He has been securing large scale applications for several years, including the Australian Taxation Office's mid-range systems, which make up the world's largest .Net application. He regularly speaks on security, and has had articles published in journals and on MSDN.
DATE
Thursday 12th April 2007, 9:00am - 6:30pm.
Registration begins at 8:45am.
VENUE
Microsoft Edinburgh,
127 George Street,
Edinburgh
EH2 4JN
LUNCH
Approximately one hour will be set for lunch and a place can be pre-booked at a local restaurant.
Please let us know if you have any special dietary requirements.
Lunch is NOT included in the price for this event.
Comments