J went through the 10 top vulnerabilities for developers. Each of them he showed with explanation, examples, and mitigation - admittedly, all mitigation was focused on .NET. I was quite impressed and noted some aspects where IIS 7 is integrated with ASP.NET, so that default security settings are enforced. For example, for unauthorized file access.
J promised the slides on his blog. I also asked David Nester, the Houston OWASP president, about the same top 10 but mitigating in other technologies, such as PHP or Java.
Here is an interesting thing. The top 1 most used vulnerability, cross-site scripting, received least of all mitigation coverage. It is the hardest to protect against also. There is a XSS secure library from MS, and that is the approach that Jeremiah Grossman advocates too - secure libraries.
The added bonus came in the form of questions and answers. I asked J, what should an outside consulting company like ours do to help with security effort:
- Learn and implement latest security protection techniques;
- Educate software developers in companies;
- Educate management?
The meeting took place at the MS Campus. Here is the view from the window.