Designing Application Managed Authorization
Authorization is a task which every programmer has to face sooner or later. While authentication is handled in most situations by the operating system, authorization concepts have to be designed on a per application basis. The .NET Framework provides various authorization mechanisms to control the
functionality of applications so that they behave as intended and cannot be misused either accidentally or deliberately. These include role based access checks using windows or non windows accounts, Microsoft Authorization Manager, COM+ role based security and code access security authorization.
This talk provides guidelines for designing and coding application-managed authorization for single or multi-tier applications that are based on .NET. It focuses on common authorization tasks and scenarios, and it provides information that helps you choose the best approaches and techniques.
Improving Application Security through Pen-Testing
Application programmers usually focus on normal execution paths, attackers on error conditions.
Penetration Testing is the process of analyzing applications and infrastructures through the eyes of an attacker and to use exactly the same techniques and tools these people would use. This talk gives the theory behind auditing and penetration/security testing and introduces proven methodologies.
Common programming pitfalls like input validation flaws including sql injection, cross site scripting and directory traversal, asp.net misconfigurations and overall “hackable” application designs are shown with a detailed explanation how to exploit these security holes.
After this session you will have the knowledge to start testing your own applications for security problems and using tools to automate these tests.