TAM v3.0 beta is live!

A new version of threat analysis and modeling tool has been released. This version has significant improvements from previous version as identified in previous posts. You can find more information on the download link and bugs link from TAM 3.0 Beta is Now Live!. Thanks RV

Connection String Injection Attack

Today I was looking at some new classes in .NET 2.0 and stumbled across DbConnectionStringBuilder class. This class provides compile time checks around building connection strings with user input. If you are constructing connection string dynamically by accepting server name from the  user you could be vulnerable to this attack. Here is an example on…

Web Protection Library – new Project

Another post on the new security tools blog about WPL. http://blogs.msdn.com/securitytools/archive/2009/07/09/web-protection-library-wpl-a-brief-introduction.aspx Thanks RV

Threat Analysis and Modeling 3.0 Video

Here is a video that I did couple of weeks back about TAM 3.0 release. It gives some details on the new features and how we started working on TAM 3.0 release. Will post more details as I get them. https://channel9.msdn.com/posts/Jossie/Thread-Analysis–Modeling-Tool-TAM-30/ Thanks Anil RV

Introducing SDL-LOB

If you are writing .NET applications chances are that it could be the next big LOB application in your organization. Securing those applications could be a problem without an objective methodology. SDL-LOB provides a framework for securing Line Of Business (LOB) applications over lays on top of your standard SDLC phases. It defines certain activities…

System.Security.SecureString Part II

Second part of the SecreString blog post. Check it out at http://blogs.msdn.com/cisg/archive/2008/12/17/secure-string-in-net-part-ii.aspx. Thanks RV

How the Anti-XSS 3.0 SRE Works

Published a new blog on how SRE works internally. Kind of a starter course on Anti-XSS SRE code. Check it out at How the Anti-XSS 3.0 SRE Works. Thanks RV

Anti-XSS Webcast

On January 9th there will be a webcast on technet about Anti-XSS v3.0. This will showcase some of the improvements done to the Anti-XSS library. The webcast registration url is http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032398771&Culture=en-US. Thanks RV

Security Deployment Review Tool Webcast

Deployment Reviews is a process to check a host for security settings, mostly those affect the applications that are hosted on that. A technet webcast has been scheduled to reveal an automated tool to check for deployment security settings. The webcast is on 12/15/2008 from 10:30 AM to 11:30 AM and the following is the…


From a security perspective what’s wrong with this code? 1: <html> 2: <head> 3: <title>Welcome Page</title> 4: <script language="JavaScript"> 5: function openNewWindow() 6: { 7: window.open(‘<%=Server.HtmlEncode(Request.QueryString["URL"])%>’); 8: } 9: </script> 10: </head> 11: <body> 12: Welcome <%=Context.User.Identity.Name %> 13: <br/> 14: Click <a href="javascript:openNewWindow();">here</a> 15: to open the link in new window. 15: </body> 16:…