3770.aspx

OWASP Conference in Milano 15/5-17/5

OWASP  (Open Web Application Security Project) is organizing an Application Security conference May 15-17 2007 in Milan, Italy. The conference starts with a 1 day optional training before the main sessions. The OWASP's AppSec conferences are dedicated to real-world application security issues and solutions.

Writing secure web applications is difficult, and it is getting more difficult each day as the number of frameworks/solutions grows, so I have decided to post the complete invitation below:

Dear Colleague,,

OWASP is proud to announce its 6th Application Security Conference to be held May 15-17 at the Marriott in Milan, Italy. Please reserve these dates!! This facility looks to be the nicest facility we have had the opportunity to use yet for our European conferences.

This conference will include:
- Training (On May 15th) Three 1-day application security courses are being offered the day prior to the conference
- Main Conference (May 16-17) This year's conference will include daily keynotes, presentations, refereed papers, lots of OWASP projects, and two panels to encourage discussion amongst the attendees.
- Evening Social Event (May 16) - We are planning a social event as we do each conference which facilitates the attendees ability to mingle and get to know each other better.

Current details on the conference are available on the OWASP website at
http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007 This conference is expected to be kicked off with a keynote by a representative from Microsoft on "The Benefits of the SDL initiative to Microsoft and its Customers". This should be similar to the presentation that Mike Howard gave to kick off the 5th OWASP AppSec Conference which was the highlight of that conference (in my opinion). It discusses the Microsoft Security Development Lifecycle (SDL) and the benefits Microsoft and its customers have gained by developing and adopting it.

OWASP's AppSec conferences are dedicated to real-world application security issues and solutions. You'll learn many aspects of application security, including people, process, and technology perspectives.

REGISTRATION DETAILS: As a non-profit charitable organization, OWASP has been able to keep the cost to 450 Euro's per seat. For OWASP Members it's only 400 Euros. These prices are further reduced by 50 Euros for early registration prior to April 16th.

Note: Payment for the conference will actually have to be in US dollars as OWASP currently has no mechanism for accepting Euro's for payment with our current registration system.

Registration is available at:
http://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=4abc935c-a7f8-47e1-83a0-23a2c36faf26

PLEASE NOTE THAT ALL TICKETS ARE NON-REFUNDABLE TO REDUCE ADMINISTRATION COSTS

TRAINING COURSES (May 15):
These classes will be held at the Marriott. Each class is 650 Euros for conference attendees (and includes lunch).

- FOUNDATIONS OF APPLICATION SECURITY
- WEB SERVICES AND XML SECURITY
- ADVANCED .NET SECURITY

More details on these training courses are available at:
http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Training

EVENING SOCIAL EVENT - May 16th - An optional dinner event.

This event involves a dinner at a nearby restaurant from 7-9 PM, followed by drinks at local watering holes. We hope to see all of you there as this is a great chance to mingle and meet many members of the OWASP community.

ACCOMMODATIONS: Information about local accommodations, including reduced rate rooms is available at:
http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007#Accomodations

If you know others that would be interested in attending the 6th OWASP AppSec Conference, please forward them this email and let them know about this opportunity.

Please contact me with any questions. Looking forward to seeing you all there!

Thanks, Dave

Dave Wichers, OWASP Conferences Chair
The OWASP Foundation
http://www.owasp.org

I am still convincing my bosses to let me go, but I hope to see you there!

3690.aspx

Visual Studio Code Name "Orcas" March CTP

Visual Studio Code Name "Orcas" - March Community Technology Preview (CTP) is available for download in two versions:

• Self extracting image


• Virtual PC image

The features are too many to mention here, but the ones that I most look forward to trying are:

• LINQ (LINK)


• ADO.NET Entity Framework


• The XSLT Debugger


• Windows Presentation Foundation (WPF) Designer


• New Team System features


• Windows Communication Foundation and Workflow Foundation

3612.aspx

Loosing forms authentication after ASP.NET application recycles

I recently moved my blog to a hosting center (more on that in another post) and hit a few strange issues:

• forms would fail with an Invalid Viewstate error


• forms authentication would be lost after my web application was recycled

I know why it happens (ASP.NET security measures) but not what is causing it.

Let me try to explain better. ASP.NET does it best to make sure the ViewState and forms authentication cannot be hacked by “signing“ sensitive data. The <machineKey> element in Machine.Config decides how the key is generated and which algorithm to use. The computer can generate the key automatically but it is machine specific so the key must be the same on all machines in a web arm.  So far, so good. But I only have a single “dedicated“ server so the key should always stay the same and I should not have any problems.

Not so simple. The key is normally set to “AutoGenerate“ in machine.config which usually work but not in my case. The most likely cause is the account used to run the ASP.NET worker process as the key is stored in the registry with access limited to "Network Service":

When the machineKey is set to AutoGenerate, the key information is stored in the HKEY_CURRENT_USER hive for the account running the process. For W2k3 servers, this is the Network Service account. Otherwise, the account is ASP.NET machine account. When the process launches, ASP.NET will use the HKEY_CURRENT_USER registry key if it is available. If this key is not available, the
HKEY_LOCAL_MACHINE key will be used.  If neither registry key exists, the process creates the key in the HKEY_LOCAL_MACHINE hive. If these conditions fail, the process creates a brand new set of keys

My worker process was running as “Network Service“ but I didn't have time to dig into the registry security settings so I applied the procedure for configuring machines in a web garden. Luckily the fix is a lot simpler than the explanation:

• Use a machineKey generator to generate the settings for your machine


• Replace your existing <machineKey> element in machine.config with the generated section

This MSDN article explains the dirty details better

3610.aspx

It is official: I am a Pig

or at least the Chinese think I am…

I would never have found out if I did not work next to the Chinatown of Milano. There was an advertisement for the Chinese New Year celebration recently and I saw a description of the various zodiacs. By chance I noticed that this is the year of the Pig.

I do not believe in astrology but I find the wikipedia description of the Year of the Pig scarily accurate:

The Pig type is usually an honest, straightforward and patient person. They are a modest, shy character who prefers to work quietly behind the scenes. When others despair, they are often there to offer support. This type of person is reserved with those they do not know too well, but as time passes and they gain confidence, those around them may discover a lively and warm-hearted person behind that mask of aloofness. Despite those born in the year of pig having a wide circle of friends and acquaintances, they have few close friends who understand them and share their inner thoughts and feelings. It is easy to put trust in pig type; they won't let you down and will never even attempt to do so. Such people simply want to do everything right according to social norms.

3606.aspx

The mathematics of lacing shoes

What is the optimal way of lacing your shoes?  Good we have university mathematicians to help us with these philosophical issues and present the best solutions:

 

The criss-cross and straight patterns (left and centre) are strongest, but the bow-tie pattern (right) is the most efficient

I keep it simple and use the criss-cross pattern. What about you? Are you a traditionalist or are you using one of the 400 million other ways of lacing a shoe?

3599.aspx

.NET CF 2.0 Pocket Outlook DueDate problem

While porting my free Pocket PC applications to .NET CF 2.0 I just discovered an interesting "feature" of the Microsoft Pocket Outlook wrapper. The first port of poToday used my POOM wrapper for .NET CF 1.0 but I decided to drop it for the built in Microsoft PocketOutlook libraries.

My application dropped from 70kb + 30kb of wrapper DLL to only 31kb. Reorganizing the menus I am able to use the application completely without stylus which is pretty neat. But I found a problem with DueDate property that drove me crazy for a while. I can filter on the DueDate like this:

TaskCollection dueTasks = allTasks.Restrict("[DueDate] = \"" +

     System.DateTime.Today.ToString("dd/MM/yy") + "\" and [Complete]=False");

 

But as the following screenshot shows; I cannot set the DueDate to Today as it becomes yesterday:

task.DueDate should have been newDate (i.e. System.DateTime.Today) but it is 24 hours wrong :-(

I guess it converts the date to UTC link before it sets it. Whatever the reason; adding the difference between the current time and UTC works grand:

System.DateTime.Today + (System.DateTime.Now - System.DateTime.UtcNow);

 
I am still dogfooding my apps but I hope to release them soon.

3597.aspx

Replacing HTML markup in SQL Server

I automatically generate a short summary for each post on my blog. The logic for creating the summary should stay on the front end but I did not have the source code for my blog engine (.text) so I put it in the DB.

The following function removes all HTML tags, leaving only the text I want to display in the summary:

CREATE FUNCTION [dbo].[replaceHTML]

(

       @cont varchar(8000)

)

RETURNS varchar(8000)

AS

BEGIN

     

  declare @out  varchar (8000)

  declare @tag  varchar (8000)

  declare @pos1 int

  declare @pos2 int

 

  -- Find the start/end of first tag

  set @pos1=charindex('<', @cont);

  set @pos2=charindex('>', @cont);

 

  if not(@pos1>0 and @pos2>@pos1)

  begin

    set @out=@cont

  end

  else

  begin

    set @out='';

 

    -- as long as there are tags

    while @pos1>0 and @pos2>@pos1

    begin

      set @tag=substring(@cont,@pos1,@pos2-@pos1+1);

      if @pos1>1

      begin

        set @out=@out+substring(@cont,1,@pos1-1)

      end

 

      set @cont=substring(@cont,@pos2+1, len(@cont) - @pos2);

 

        -- Find the start/end of next tag

      set @pos1=charindex('<', @cont);

      set @pos2=charindex('>', @cont)

    end

    set @out=@out+@cont

  end

  return(@out)   

END

 

It may not be very nice, but it works and it improves the Google search results (which is strange as Google gets a complete list my posts via the sitemap...)