ASP.NET Developer Security MSDN events – slides & links


Lynn's slides - Jan 2008 Allup » SlideShare

Original slides and session recordings -


Session Links

Avoid Common Security Vulnerabilities for ASP.NET applications

HelloSecureWorld -

'How Do I?' Security on MSDN -

SDL - Security Development Lifecycle on MSDN -

Design Guidelines for Secure ASP.NET sites -

MS Anti X Scripting Library -

Using RegEx -

Encrypting Web.Config  - &

ViewStateUserKey -

Best Developer security book ever - Writing Secure Code 2 -

Security horror stories - XSS attack -

What is the advantage of using the Anti XSS libraries vs. simply using Server.HtmlEncode.

The following Is an excerpt from .NET Data-bound Web controls & (anti)XSS - Some Considerations:

“A prime example of how Version 1.5 of Microsoft Anti-Cross Site Scripting Library provides greater protection against XSS is illustrated via the availability of its JavaScriptEncode Encoding Method to protect vulnerable application values that are used directly within existing JavaScript blocks. Such values would still be vulnerable to XSS if they were only subjected to encoding via the classic HtmlEncode/UrlEncode utilities.”

Further information such as the following can be found at Microsoft Anti-Cross Site Scripting Library V1.5 is Released!

Great Article with example attacks.

IIS 7.0 for Developers

General site -

Virtual labs -

Video -

Asli Bilgin whiteboard on IIS 7.0 for developers -

How to set up WAS -

About svcutil -

About appcmd.exe

WCF hosted in IIS 7.0 -

Intro to ApplicationHost.config -

Deep Dive IIS 7.0 configuration -

Security Changes between IIS 6.0 and IIS 7.0 -

Output caching in IIS 7.0 -

Developer Center on IIS.NET -

ASP.NET integration with IIS 7.0 -

About IIS 7.0 Handlers and Modules (recapped from the link below)

A module, similar to the ISAPI filter in previous IIS versions, participates in the request processing of every request in order to change or add to it in some way.  Examples of some in-the-box modules in IIS7 include authentication modules, which manipulate the authentication status of the request, compression modules that compress the outgoing response, and logging modules that log information about the request to the request logs.

The module is a .NET class that implements the ASP.NET System.Web.IHttpModule interface, and uses the APIs in the System.Web namespace to participate in one or more of ASP.NET’s request processing stages.

A handler, similar to the ISAPI extension in previous IIS versions, is responsible for handling the request and producing the response for specific content types.  The main difference between the module and the handler is that the handler is typically mapped to a particular request path or extension, and supports the processing of a specific server resource to which that path or extension corresponds.   Examples of handlers  provided with IIS7 include ASP, which processes ASP scripts, the static file handler, which serves static files, and ASP.NET’s PageHandler which processes ASPX pages.

The handler is a .NET class that implements the ASP.NET System.Web.IHttpHandler or System.Web.IAsyncHttpHandler interface, and uses the APIs in the System.Web namespace to produce an http response for specific content it supports.

When planning to develop an IIS7 feature, the first question you should ask is whether this feature is responsible for serving requests to a specific url/extension, OR applies to all/some requests based on arbitrary rules.  In the former case, your should be a handler, and in the latter, a module.

Developing Custom Handlers or Modules for IIS 7.0 -

IIS 7.0 Managed Modules Starter Kit for Developers -

Comments (5)

  1. ccatto says:

    Hey now Lynn,

    Great Post, really good resource. I don’t think I’m going to make this session this quarter & am real glad you post this so I can go though it.

    Thx 4 the info,


  2. Larry says:

    I think she gave us too much work for a Monday 😉 Thanks for all the great links.  Missed you at geekSpeak.

  3. Lynn Langit (my colleague on the geekSpeak webcast series) posted a great set of resources for this quarter’s

  4. Lynn Langit (my colleague on the geekSpeak webcast series) posted a great set of resources for this quarter's

Skip to main content