In february/march I am doing a 5-part Webcast series about ASP.NET Security for MSDN US. Maybe see you there…

The following topics are planned:

Authentication & Authorization
In this webcast, we explore how Microsoft ASP.NET 2.0 features a flexible authentication and authorization architecture that supports Windows, certificates, and custom credential types. Discover how, with the provided abstraction layers in ASP.NET, your application page code does not have to be aware of any authentication implementation details. Join this session to learn how you can take full advantage of these capabilities. We explain how the HTTP pipeline and its extensibility points work. We look at how the built-in authentication mechanisms function, and we examine how to extend them for enabling single sign-on (SSO) and Web farm scenarios. We also show you how to implement custom and mixed-mode authentication, role handling, and protection of other resources. (register)

Tuesday, February 20, 2007
11:00 AM Pacific Time (US & Canada)

Input Validation
Malicious or unexpected input is the reason for most of the stability and security problems in applications. How often do your applications crash because of logic problems compared to problems caused by malformed input? Many serious attacks rely on flawed or non-existent input validation in applications or how applications handle specially crafted input values. Join this webcast to learn about the most common input-validation attacks, like SQL injection, HTML injection, cross-site scripting, and directory traversal, in addition to the corresponding mitigation techniques. We examine the input validation mechanisms built into Microsoft ASP.NET, including request, ViewState, and event validation, and we look at the validation control infrastructure and its extensibility. (register)

Thursday, February 22, 2007
9:00 AM Pacific Time (US & Canada)

Storing Secrets
As an application developer you are responsible for many secrets, that is, sensitive information such as payroll, intellectual property, passwords, or configuration. Join this webcast to see how Microsoft ASP.NET can help you reduce the exposure of such data with hashing and encryption techniques. We explore the high-level data protection services in ASP.NET, including Data Protection API (DPAPI) and the protected configuration feature. Cryptography alone does not solve problems, but it can be effective in combination with the right architecture and management procedures. In this session, we examine approaches for different scenarios and explain how the APIs work to help you secure sensitive data. (register)

Friday, February 23, 2007
10:00 AM Pacific Time (US & Canada)

Error Handling, Logging & Instrumentation
In this webcast, we discuss best practices that can help you write more secure software. Building detection and reaction mechanisms that signal errors or attack conditions into your applications empowers you to diagnose and fix problems much more easily. We describe how these detection and reaction mechanisms are as important as prevention techniques, like authentication or input validation. Learn how Microsoft ASP.NET and the Windows platform offer many different error-handling and logging capabilities, like the event log, Windows Management Instrumentation (WMI), diagnostics tracing, or the performance monitor. Join this session to see which of these tools is most appropriate for certain situations. We also examine the Health Monitoring Framework, a new feature in ASP.NET that enables abstracting and extending your logging infrastructure through a unified API and a provider-based approach. (register)

 Monday, March 05, 2007
11:00 AM Pacific Time (US & Canada)

Partial Trust
Attend this webcast to discover one of the most overlooked security features of Microsoft ASP.NET, code access security (CAS). By default, your applications have access to powerful functionality, like calling out to arbitrary unmanaged code, accessing code in other application domains, and accessing every feature of the Microsoft .NET Framework. Join us to see how you can use CAS to disable dangerous APIs, or restrict them to only the features you need. We illustrate how this dramatically reduces the attack surface and enables you to use the principle of least privilege and defense-in-depth design. Also, learn about the dangers of running in full trust and get an introduction to partial trust, its configuration, and its extensibility. In this session, we explore common scenarios for using CAS to show you how it is possible to write feature-rich applications while running in a secure sandbox. (register)

 Tuesday, March 06, 2007
10:00 AM Pacific Time (US & Canada)