The document outlines an agenda for a security event, including a session on .NET security from 17:45-19:00 led by Radu Vunvulea, followed by a break and then a session on actor based concurrency in Elixir from 19:30-20:30 led by Adrian Magdas. It then discusses various .NET security topics like the ELMAH error logging module, sensitive information disclosure, known vulnerabilities, and approaches for addressing security vulnerabilities.
8. @ITCAMPRO
• Error Logging Modules and Handlers
• Can be added to an application dynamically
• Logs unhandled exceptions
• Web page to see:
–All exceptions
–Details for each exception
–Review the yellow/blue screen of death even if you set
customsErrors == false
ELMAH
12. @ITCAMPRO
• After Day 0, ELMAH announced that security
guidelines were updated to:
– Update web app configuration
– Custom handler for this location
Post Day 0
15. @ITCAMPRO
• More than 190.000 sites were still vulnerable
• Internal stack
• SQL Queries
• Access Tokens
• Server variable
After the update (January 2013)
20. @ITCAMPRO
• Updates
• Security and Updates Procedures that ensures that
the vulnerabilities hotfixes are pushed to the
production environments with a near-time
What was missing on these sites
21. @ITCAMPRO
• Buffer overflow (Collections)
• External libraries
• Calling unmanaged code
• Old cryptographic mechanism
• Default, unsafe or shared keys for cryptography
• Ignoring security guidelines
Other vulnerabilities
24. @ITCAMPRO
• Type-safe language
• Runs on top of .NET platform
• You can create a coding vulnerability only if
–> .NET platforms has a bug
–> External library has a bug
–> Execute code outside .NET platform
C# - Specific coding security