Mark Curphey has obviously been whipping his team into a frenzy and a new version of CAT.NET, along with WPL and WACA have been announced. They’re all in CTP and available from Connect.

WPL is the evolution of AntiXSS, which is turning into a nice basis for a web application firewall (ok, it’s a stupid marketing term I know, but with the Security Runtime Engine and the new extensibility features it will allow you to build something that sits between your app and the evil internet and protects you. That’s not an excuse for getting it right in the first place though). Now I’m wondering if I can take AntiCSRF and use the extensibility bits to put it into the SRE/

WACA (is anyone else hearing pacman noises) is a new configuration checker which will run over your application installation, SQL installation, windows and look at the configuration and security settings and dump out a report telling you where you’re going wrong, errr, not following best practice.

And CAT.NET is a data flow analyser which will track the flow of input through a system, looking for sanitation/encoding and warning you if you’re reflecting input as output without doing anything sensible with it.

You can be scared by Mark’s pink shirt via his appearance on Channel 9, along with RV where they discuss the new toys.

Now if only CAT.NET understood common provider models or dependency injection/IoC containers and didn’t require the .NET 4.0 runtime.

Caption this … the C9 guy meets, errr, MCP man (really? MCP man? What on earth?)

Anyway all you have to do is go to http://www.nxtgenug.net/NewsArticle.aspx?ArticleID=347 and tell us what is MCP Man saying to Channel 9 Guy?  The best/funniest caption wins as decided by the panel of judges (NxtGenUG Co-Founders) and a special Mystery Judge from Microsoft!

Normal rules apply, you can’t claim an equivalent cash prize, the judge’s decision is final blah, blah, blah ... it’s all on the competition page.

“Congratulations! We are pleased to present you with the 2009 Microsoft® MVP Award!”

Oh and congratulations to two newbies I know - Alex Mackey who is a new an MVP (Mordor Versed Professional) and Sara Chipps who is also a new MVP (Most Valuable PrettyThing)

(And of course to everyone else who was renewed or has a shiny new MVP-ness)

Now you’re at university it’s time to protect yourself. No, this is not that cringeworthy conversation you had with your parents about where babies come from but some notes on data security.

First up your laptop. That network in the halls of residence? It’s going to contain at least one budding hacker, so make sure you run anti-virus software (that includes you Mac users, there’s malware out there specifically targeting Macs), use a firewall (either the one built into your OS or a third party one) and keep your anti-virus and operating system up to date (that includes you Mac users – Apple are notorious for not releasing security patches in a timely manner, so wipe that smug grin off your face and for heavens sake find some jeans that fit properly and use less product in your hair). Oh and back-up, a laptop crash will not be an accepted excuse for not submitting your papers.

Your laptop should be password protected. The account you get on a university system will also be password protected. Then there’s your facebook account, your twitter account, your email account, your internet banking, all password protected. This presents a problem for the absent minded, or those whose brains are addled by fresher’s week and the abundance of cheap beer – it’s all too tempting to use a common password for everything. Passwords are like condoms, they shouldn’t be re-used. A couple of months back a Christian dating web site was hacked and their user database stolen, which included email addresses and passwords. The mischief makers then tried the passwords for the dating site against the email accounts from that database. A lot of them worked. Then they tried logging into FaceBook using the stolen login details. That worked too, and chaos ensued as the poor innocents from the Christian dating site started publishing updates that they were pregnant, or coming out of the closet or had turned Atheist or to Satanism. Of course their friends didn’t realise their accounts were hacked and took these status updates seriously and hilarity or damage was caused, depending on your point of view (click on the image up there to take a look at one example – yes it’s probably amusing, until it happens to you). If you don’t think you can remember multiple passwords then your browser probably has the facility to remember passwords for you, or third party applications such as lastpass exist to help you. If you use Firefox you should protect your saved passwords by creating a master password by following these simple steps:

1. Go to Tools > Options > Privacy
2. Click on the + sign next to the words "Saved Passwords" or, in newer versions of Firefox, click on the "Passwords" tab.
3. Click on the "Set Master Password" button.
4. Key in a new "master" password.
5. Click on OK.

For heaven’s sake make your passwords strong passwords. No pet’s names, no dictionary words, instead choose a password with numbers in it, and mixed case letters. lastpass helps you generate strong passwords for web sites so you don’t have to,

The same applies to your phone. Given that you’re all probably using the latest iProduct, loaded up with everything you can find (because there’s an app for that) your phone has more computing power and connectivity that I had for the first 10 years I used computers (you young people today, you have it easy, etc.). Your phone likely has email, twitter and of course your mum’s phone number in the address book. Lock your phone, keep it locked, don’t put it down unlocked when drinking with your friends otherwise you mean find “you’ve” tweeted about your love for Ashley Simpson tunes and text messaged your mother telling her you’ve quit university to join a band, or worse, the Socialist Workers party.

Then there’s the updates you actually make yourself. A facebook status explaining the joyful time you had last night with a member of the opposite (or same) sex you met three hours before may be a cause of some regret. Even if you delete it once you realise what you shared in a drunken haze you can never be sure it’s gone, it may be downloaded to your friend’s computers or worse, been indexed by google – and when that happens it’s never going away. Employers these days are searching social networking sites when looking at potential employees - a potential Cisco applicant tweeted:

Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work.

Tim Levad at Cisco saw the Tweet, and tweeted back:

Who is the hiring manager. I’m sure they would love to know that you will hate the work. We here at Cisco are versed in the web.

And those photos of you being sick in the street, or wearing a bra on your head? You don’t want to use those as your facebook profile pic either, just in case people save them or your profile is publically viewable. Facebook provides ways for you to limit photos, profiles and status updates to particular people – use it! (And hope your friends will never save and republish those pictures on the web).

Remember that the information you put on facebook is viewable to your friends – so don’t put your telephone number, email or address up there unless you fancy getting stalked when you reject someone at the bar who does a little too far.

Yes you’re going to have fun. Yes you’re going to embarrass yourself. Yes you’re going to sing along to Abba songs. But by protecting your computer and your accounts you can minimise the damage to feeling queasy the next morning when you wake up and remember what you did the night before and discover the traffic cone in your bed.

For the last few months I’ve been using the beta of Microsoft Security Essentials, Microsoft’s own free anti-virus and anti-spyware program for Windows 7, Vista and XP. It’s now out and available for everyone to download and use.

It’s hard to know if you can recommend anti-virus programmes – it’s not as if I run into many viruses (although on some of the darker sites I visit (security people, not porn)) I do occasionally see an attempt to drop spyware or adware, usually through Adobe Acrobat (thanks for that Adobe). In the last three months Security Essentials has caught four such attempts, but of course you don’t know what it hasn’t caught.

When AV-Test tested MSE they described it as “Very Good”, detecting 3,200 common viruses and no false-positives. The AV-Comparatives folks apparently tested it last month and are due to release the results soon.

What I can say is it’s lightweight (the installer is 4.7Mb) and unobtrusive (although you sometimes see double context menu entries for its scan function). It works on Windows 7 and 64 bit (although not XP 64bit, Microsoft’s red-headed step child of recent operating systems). For now I’m going to continue using it, unless tests show it doesn’t detect very well.

You can download your own copy from the Security Essentials web site. Beta users will need to upgrade to release as well.

I love this little mouse, it’s lasted me for 3 years and Amazon UK are selling them cheap right now at £30.04. It comes with a Bluetooth dongle which is pre-paired, but if you already have Bluetooth you don’t have to use it, it will pair like any normal mouse, and that’s a big bonus. MS’s recent mice all have custom receivers and I don’t want that, I already have a Bluetooth receiver in my laptop, so why on earth do I want something hanging off a USB port?

Anyway, highly recommended at this bargain price.

To accompany WebsiteSpark (do MS have an internal app called SparkSpark which creates these programmes?) seven Web Application Toolkits have been released. Dinis Cruz asked on twitter if anyone had some spare time to look at them from a security perspective. I was bored, and needed a break from editing the book (that’s right folks it’s nearly done), so I thought I’d download one. I chose the FAQ toolkit (because I need to do something with the securingasp.net domain at some point).

Fired up Visual Studio, took a quick look at the code.

Nice surprises

• It’s ASP.NET MVC based.
• Appropriate use of HTML Encoding for both text and attributes. Some things aren’t encoded like dates from the data model, which aren’t strictly necessary, but encoding everything does no harm and should be standard practice.

Amusing surprises

• It uses Linq2SQL – side note “Dear EF team, No-one likes you. You smell funny”

Silly surprises

• When creating a list screen the FAQ answers will get chopped to the first X characters. Tags that get caught in this aren’t closed, so you could end up with half an <a href= and the bits of the page won’t be displayed.

Bad surprises.

• No role based security.
• You can vote on items multiple times as you can’t register an ordinary user.
• No CSRF protection on any forms.
• Admin users can create any response they want – no stripping of bad or unsafe HTML. Which wouldn’t be so bad, you would hopefully trust your admin users …
• The admin login page has a link to register a user. Which creates a new user. And as there is no role based security the new user is … an administrator.

Oh dear.

Now reading the announcement for the templates perhaps MS view these things as plugins to your existing site, so you could make the argument that the people that use them already have security configured and know how to think about it. That’s great for you if you;re one of those people, but samples get examined and used by people who want to learn and by people that don’t want to learn at all and just want something that works, people who don’t know security. Worse still is the assumption by a lot of people that samples that from Microsoft are “the right way to do things”. Even out of work hours projects by Microsoft stuff get labelled like this as Rob Conery found out with his MVC Store Front series and the Oxite team also discovered. However it appears that the Web Application Toolkits are official projects.

Now maybe the other toolkits are better, maybe I’m being as unfair to that team as the ALT.NET folks were to Rob and the Oxite folks, but wearing my security hat I think this is pretty damned poor. I’ve only spent 10 minutes looking, I’m scared to do any in depth analysis now.

(Oh and if you’re in the UK and interested in WebsiteSpark remember you need to be nominated, so talk to Phil Winstanley, as Pixel Programming is a WebsiteSpark partner as well as being a BizSpark Partner).

Version 3.1 of the Microsoft AntiXSS library (binary download) was released on the 15th September and now comes with HTML sanitation. Not content with dropping a new release of the library Anil’s wife also dropped a release of her own and he’s now on paternity leave, which means the new functionality is undocumented for now.

A quick look in the help file shows two new methods, GetSafeHtml and GetSafeHtmlFragment. Both methods have the same three overloads,

• GetSafeHtml(string) – which takes a string containing the HTML to be made safe
• GetSafeHtml(TextReader, Stream) – which takes a TextReader as the source of the HTML and outputs to the specified stream
• GetSafeHtml(TextReader, TextWriter) – which takes a TextReader as the source of the HTML and outputs to the specified text writer.

The difference between GetSafeHtml and GetSafeHtmlFragment lies in the output. GetSafeHtml outputs an html page, wrapping the input in <html> and <body> tags if they’re not there, GetSafeHtmlFragment just strips unsafe HTML from the input, without turning it into a complete page. What’s considered unsafe isn’t documented yet, but it does use a white list of non-scriptable tags and attributes. What you will find is that it is HTML it’s outputting, not XHTML, so if you want to use this to produce safe output for your XHTML site then you’re going to have to pump the output through the HtmlAgilityPack to get XHTML.

So congrats to Anil on the new babies. I think nappies/diapers come before documentation right now!