Lynn's slides - Jan 2008 Allup » SlideShare
Original slides and session recordings - http://www.msdnevents.com/resources/2008-winter-resources.aspx
Avoid Common Security Vulnerabilities for ASP.NET applications
HelloSecureWorld - http://www.hellosecureworld.com
'How Do I?' Security on MSDN - http://msdn2.microsoft.com/en-us/security/bb896640.aspx
SDL - Security Development Lifecycle on MSDN - http://msdn.microsoft.com/msdnmag/issues/07/11/SecDefects/default.aspx
Design Guidelines for Secure ASP.NET sites - http://msdn2.microsoft.com/en-us/library/aa302420.aspx
MS Anti X Scripting Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=en
Using RegEx - http://msdn2.microsoft.com/en-us/library/ms998267.aspx
ViewStateUserKey - http://msdn2.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx
Best Developer security book ever - Writing Secure Code 2 - http://www.microsoft.com/mspress/books/5957.aspx
Security horror stories - XSS attack - http://www.davidairey.co.uk/google-gmail-security-hijack/
What is the advantage of using the Anti XSS libraries vs. simply using Server.HtmlEncode.
The following Is an excerpt from .NET Data-bound Web controls & (anti)XSS - Some Considerations:
Further information such as the following can be found at Microsoft Anti-Cross Site Scripting Library V1.5 is Released!
Great Article with example attacks.
IIS 7.0 for Developers
General site - http://www.iis.net/default.aspx
Virtual labs - http://virtuallabs.iis.net/
Video - http://www.iis.net/default.aspx?tabid=2&subtabid=26&i=1141
Asli Bilgin whiteboard on IIS 7.0 for developers - http://news.zdnet.com/2422-13569_22-153107.html
How to set up WAS - http://www.devx.com/VistaSpecialReport/Article/33831
About svcutil - http://msdn2.microsoft.com/en-us/library/aa347733.aspx
WCF hosted in IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Hosting-Web-Applications/Windows-Communication-Foundation--WCF-/Writing-a-Web-Service-hosted-in-IIS7
Intro to ApplicationHost.config - http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/Using-XML-Configuration/Introduction-to-ApplicationHost-config
Deep Dive IIS 7.0 configuration - http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/Using-XML-Configuration/Deep-Dive-into-IIS7-Configuration
Security Changes between IIS 6.0 and IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Configuring-Security/Changes-between-IIS6-and-IIS7-Security
Output caching in IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Optimizing-Performance/Using-Output-Cache/IIS7-Output-Caching
Developer Center on IIS.NET - http://www.iis.net/default.aspx?tabid=7&subtabid=711
ASP.NET integration with IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Hosting-Web-Applications/ASP-NET/ASP-NET-Integration-with-IIS7
About IIS 7.0 Handlers and Modules (recapped from the link below)
A module, similar to the ISAPI filter in previous IIS versions, participates in the request processing of every request in order to change or add to it in some way. Examples of some in-the-box modules in IIS7 include authentication modules, which manipulate the authentication status of the request, compression modules that compress the outgoing response, and logging modules that log information about the request to the request logs.
The module is a .NET class that implements the ASP.NET System.Web.IHttpModule interface, and uses the APIs in the System.Web namespace to participate in one or more of ASP.NET’s request processing stages.
A handler, similar to the ISAPI extension in previous IIS versions, is responsible for handling the request and producing the response for specific content types. The main difference between the module and the handler is that the handler is typically mapped to a particular request path or extension, and supports the processing of a specific server resource to which that path or extension corresponds. Examples of handlers provided with IIS7 include ASP, which processes ASP scripts, the static file handler, which serves static files, and ASP.NET’s PageHandler which processes ASPX pages.
The handler is a .NET class that implements the ASP.NET System.Web.IHttpHandler or System.Web.IAsyncHttpHandler interface, and uses the APIs in the System.Web namespace to produce an http response for specific content it supports.
When planning to develop an IIS7 feature, the first question you should ask is whether this feature is responsible for serving requests to a specific url/extension, OR applies to all/some requests based on arbitrary rules. In the former case, your should be a handler, and in the latter, a module.
Developing Custom Handlers or Modules for IIS 7.0 - http://mvolo.com/blogs/serverside/archive/2007/08/15/Developing-IIS7-web-server-features-with-the-.NET-framework.aspx
IIS 7.0 Managed Modules Starter Kit for Developers - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1302