Security Folks .Net certs

Bl8ckr0uter

Would it be normal for someone who is supporting a web server to be certified on .net? (specifically 4.0)

JDMurray

If you will be a programmer writing Web services and Web pages in ASP.NET then yes, you should look into .NET certification. If you are just an admin of Microsoft Web servers then you would look into the MCSE certs for Windows 2003 and the MCITP for Windows 2008 and later.

Bl8ckr0uter

JDMurray wrote: »

If you will be a programmer writing Web services and Web pages in ASP.NET then yes, you should look into .NET certification. If you are just an admin of Microsoft Web servers then you would look into the MCSE certs for Windows 2003 and the MCITP for Windows 2008 and later.

I will be the admin but I will also help out with development, mainly making sure we are doing things according to best practices.

JDMurray

Bl8ckr0uter wrote: »

I will be the admin but I will also help out with development, mainly making sure we are doing things according to best practices.

You need to get with the people/organization that's defining the best practices that you will be following and ask what they recommend. If you are not an actual programmer then the ASP.NET developer certs are not for you.

Bl8ckr0uter

JDMurray wrote: »

You need to get with the people/organization that's defining the best practices that you will be following and ask what they recommend. If you are not an actual programmer then the ASP.NET developer certs are not for you.

That's my point, the developers aren't developing with security in mind and my boss has said, figure out what they need to do (not do it per se) so our new sites can be as secure as possible. Layer 7 on down. I was just wondering how much those certs cover security. I have the ASP.Net 4 book from wrox and it has a few chapters dedicated to security.

JDMurray

Bl8ckr0uter wrote: »

That's my point, the developers aren't developing with security in mind and my boss has said, figure out what they need to do (not do it per se) so our new sites can be as secure as possible. Layer 7 on down. I was just wondering how much those certs cover security. I have the ASP.Net 4 book from wrox and it has a few chapters dedicated to security.

There are no .NET certs specifically for security. You'd be lucky to find that just one of the exams covered only security. Software security starts in the design of the program, not in the coding (implementation). Entire software engineering degrees are based on the concept of software systems security, so I don't think one or two .NET certs will help much.

If you have a code base that's critical to the operations of your business, you might look into a professional assessment from a company like Citigal.

Bl8ckr0uter

JDMurray wrote: »

There are no .NET certs specifically for security. You'd be lucky to find that just one of the exams covered only security. Software security starts in the design of the program, not in the coding (implementation). Entire software engineering degrees are based on the concept of software systems security, so I don't think one or two .NET certs will help much.

If you have a code base that's critical to the operations of your business, you might look into a professional assessment from a company like Citigal.

Ok maybe I am posing my question incorrectly. For a network admin of a small shop who happens to work for some web developers (also at this small shop) what would be some of security concerns when rolling some brand new asp.net applications from the development side. We wouldn't have money for a place like citigal to work on our code so all of this would need to be in house.

Bl8ckr0uter

I think I answered my own question. I just got web applications hackers handbook and Web security testing and these seem to be the answer I needed. Thanks!

JDMurray

Note that Web sites must be tested both independently of the site's technology, and tested to find vulnerabilities specific to the technology used to implement the site. For example, a poor design of a site's authentication mechanism can exist in any implementation, while an exploit specific to a version of PHP can only used on sites that use PHP.

An excellent organization to follow for information on Web site and application security is the Open Web Application Security Project (OWASP).

Bl8ckr0uter

JDMurray wrote: »

Note that Web sites must be tested both independently of the site's technology, and tested to find vulnerabilities specific to the technology used to implement the site. For example, a poor design of a site's authentication mechanism can exist in any implementation, while an exploit specific to a version of PHP can only used on sites that use PHP.

An excellent organization to follow for information on Web site and application security is the Open Web Application Security Project (OWASP).

I am actually considering joining the local branch of OWASP. I plan on following this organization very closely.

This Web Application hackers book seems like it is going to be promising. I will have to have to pick up the database hackers book later.

Bl8ckr0uter

Just to revisit this thread, I found these sites/books:
Security Tutorials: The Official Microsoft ASP.NET Site
ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS
Amazon.com: Beginning ASP.NET Security (Wrox Programmer to Programmer) (9780470743652): Barry Dorrans: Books
Amazon.com: Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer) (9780735623316): Dominick Baier: Books