patterns & practices Security Videos

We did a focused set of security videos with Keith Brown a while back.  The problem is they're not very findable (most customers I talk to aren't aware of them).  I added them to soapbox and listed them below to see if it helps (note soapbox may prompt you to log in):

Input and Data Validation Videos

• Paths, URLs, and Canonicalization - shows you how to avoid input and data validation security issues related to path validation.
• Cookies and Tamper Detection - shows you how to protect from cookie tampering issues.
• Cross Site Scripting - shows you how to protect from cross-site scripting issues.
• Regular Expressions - shows you how to use regular expressions to validate input and data.
• SQL Injection - shows you how to protect from SQL injection.
• ASP.NET Validation Controls - shows you how to use validation controls for input validation.

They're designed to help you get key concepts behind some of our security guidance.   I also wanted to use somebody that was recognized in the field as somebody you could trust.  Keith's proven himself for a long time in the security community.  He also has the aura of an experienced trainer, which I think comes across in these videos.

Comments

• Anonymous
  March 24, 2007
  PingBack from http://thanadon.com/news/patterns-practices-security-videos.html

• Anonymous
  March 24, 2007
  It doesn't help. Despite the fact that I have been watching MSDN webcasts for ages using my passport ID, I am not allowed into the site. Strangely if I try to get added to the registration database I am told that the email address is already in use.

• Anonymous
  March 24, 2007
  I think sharing these kind of videos via Soapbox is silly to say the least. Why don't you host these on say Channel 9 or some place on MSDN. I am not complaining about logging in but wouldn't be nice to find these at one known place rather than screwn all over the net. And least of all I would not want to go to Soapbox from my work place.

• Anonymous
  March 24, 2007
  Kris - They've been hosted on channel9 for over a year: http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.InputValidationTrainingModules I would like to see them on MSDN.

• Anonymous
  March 24, 2007
  Mike - I'm not sure what the soapbox issue is, but here's an alternative:

• Paths, URL s, and Canonicalization: http://mylabs.members.winisp.net/videos/canonicalization.wmv

• Cookies and Tamper Detection: http://mylabs.members.winisp.net/videos/cookies.wmv

• Cross Site Scripting: http://mylabs.members.winisp.net/videos/crosssitescripting.wmv

• Regular Expressions: http://mylabs.members.winisp.net/videos/regex.wmv

• SQL Injection: http://mylabs.members.winisp.net/videos/sql_injection2.wmv

• ASP.NET Validation Controls: http://mylabs.members.winisp.net/videos/validation.wmv

• Anonymous
  March 25, 2007
  Just to drop a small note. I never see any reference to using Page.IsValid on server postback handlers. It's mandatory for server validation! So, you don't have any kind of security without page.isvalid! In fact I have my doubts that that particular web cast is goind to the server for validation as mentioned by Keith. I've said it before and I will say it again... it's confusing for developers to have to check this and it should be done by the framework, or there should by a warning of some kind. From http://msdn.microsoft.com/msdnmag/issues/05/11/securewebapps/ "...(just make sure to always enforce server-side validation by calling Page.IsValid)..."

• Anonymous
  March 26, 2007
  "Click Here" http://blogs.msdn.com/jmeier/archive/2007/03/24/patterns-practices-security-videos.aspx

• Anonymous
  May 28, 2007
  The comment has been removed