Security Analyst: ASP.NET

Bl8ckr0uter

Here is a question for the security analyst of TE. Do any of you actually support ASP.NET (or any web code)? We had an issue today (that we spent the entire day on) that ended up being a code issue. This isn't the first time that it has happen. I think the problem is that the admin group (Another guy and I) speak one language and the development group speaks another. Someone needs to know how to talk to both sides equally. I have decided that person is going to be me. So I need to bone up on my ASP.NET and SQL from a Security Analyst perspective. I probably won't be writing any production code but I may need to make some security recommendations and so on. I do have some experience from back in the day with ASP.Net but I am wondering if anyone else is doing anything similar.

earweed

Does the ASP.NET code problem have anything to do with an IIS installation and problems on it. If that's the case you may want to look at your ASP.NET trust levels. I'm nowhere near an expert at ASP.Net and all I know of it is from my 70-643 studies but if your trust levels are set too high (or too low) it can cause problems.

Bl8ckr0uter

What this issue came down to was error handling in some try catch sequence wasn't able to process timeouts of the app. In IIS there is a certain page timeout parameter which causes the page to time out (the default is like 20 min). long story short, it was spitting out unhandled errors. It was a very educational experience lol. BTW this is on server 03.

Bl8ckr0uter

Well due to some issues that came up at work, I am going to need to greatly accelerate my plans to learn ASP.NET, SQL and IIS. Anyone have any thoughts on this?

Bl8ckr0uter

ASP.Net books:

Amazon.com: Beginning ASP.NET 4: in C# and VB (Wrox Programmer to Programmer) (9780470502211): Imar Spaanjaars: Books (purchased)

Amazon.com: Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server (9781430223832): Richard Kiessig: Books

IIS Books:
Amazon.com: Professional IIS 7 (9780470097823): Kenneth Schaefer, Jeff Cochran, Scott Forsyth, Rob Baugh, Mike Everest, Dennis Glendenning: Books (purchased)


SQL Books:
Amazon.com: Beginning T-SQL with Microsoft SQL Server 2005 and 2008 (Wrox Programmer to Programmer) (9780470257036): Paul Turley, Dan Wood: Books (purchased)

Amazon.com: Professional SQL Server 2005 Performance Tuning (Programmer to Programmer) (9780470176399): Steven Wort, Christian Bolton, Justin Langford, Michael Cape, Joshua J. Jin, Douglas Hinson, Haidong Ji, Paul A. Mestemaker, Arindam Sen: Books

Security Books:
Amazon.com: Seven Deadliest Web Application Attacks (Syngrass Seven Deadlest Attacks) (9781597495431): Mike Shema: Books

Amazon.com: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (9780596514839): Paco Hope, Ben Walther: Books (purchased)

Amazon.com: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (9780470170779): Dafydd Stuttard, Marcus Pinto: Books (purchased)

Anyone think I should add anything else?

gosh1976

I don't have anything to add other than I am very interested in how things come along with your studies and how you like the books you use! I am definitely interested in those topics.

Bl8ckr0uter

gosh1976 wrote: »

I don't have anything to add other than I am very interested in how things come along with your studies and who you like the books you use! I am definitely interested in those topics.

Lol thanks. I really wish it was just out of pure interest. This is now out of professional responsibility lol. I think alot of people (myself included) forget about app security (especially web app security). While I don't think I can get myself to the developers level in a few weeks or months (they have MS in CS and have been developing for years) an extra set of eyes (with a security focus in mind) can't hurt.

gosh1976

the first post in this thread reminded me of this cartoon I saw the other day so i thought I would post it!! It's somewhat related...

Bl8ckr0uter

All my books have arrived (minus the two I didn't buy which was the 7 deadliest book and the ultra fast asp.net book). I think I will pick up the 7 deadliest books in a few weeks. I have enough material right now to get a great start lol.