Ron Jacobs’ ARCast World Tour of NZ

Listened to Ron Jacob last night at the final Microsoft DotNet User Group meeting for 2006.
Excellent stuff.  I hadn’t heard before that Microsoft stopped all development in January 2001 for a 6 week crash course in security for all staff.
Ron spoke about "decreasing the attack profile" of your application.  Really made sense.  It’s harder to attack an application that doesn’t expose as much of itself as it could.  He also mentioned "security in depth" meaning having many layers of security.  So:
  • only listen on one protocol;
  • in your day-to-day use, run as less than Administrator;
  • run services as Network Service, rather than Local System;
  • use parameters instead of dynamic SQL (I’ve heard about this one before, but Ron demonstrated it for me, and was very impressive).  When you use parameters, SQL knows not to confuse data with code.
  • Don’t give out too much information in error messages.  I’ve been guilty of this one.  Especially duing debugging, but then forget to remove it later in production.

Pizza was excellent, as usual.  Unfortunately, some people who told Kirk Jackson (DNUG Coordinator) they were coming, didn’t.  Kirk had to turn people away because of the numbers who said they were coming.  Fortunately, that meant I got to take some pizza home for my family.

Also, Kirk remembered to get Diet fizz, which was nice.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s