[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Fsfe-uk] Peruvian Case for Free Software

From: Dinis Cruz
Subject: RE: [Fsfe-uk] Peruvian Case for Free Software
Date: Fri, 17 Sep 2004 13:08:37 +0100

> > > Dinis Cruz
> > > .Net Security Consultant
> >
> > That sounds like a painful, painful job ;)
> On the contrary it could mean a lot of lucrative work ;-)

Well, yes and not. I regularly find myself if the position where nobody
wants to hear what I have found and want to report.

Most of the industry doesn't really care with .Net security, since there
haven't been many attacks and everybody is still taking the position "...if
it hasn't been attacked, don't protect it..."

Take for example the ISPs. For the last year I have been calling their (and
Microsoft's) attention to the fact that the shared "Full Trust Asp.Net
hosting environments services" that they are providing to their clients is
massively insecure and easy to compromise by malicious users. 

        - Since there have been no major attacks, these ISPs don't care. 
        - Since the clients are not aware of the problem, they don't care
        - And since Microsoft doesn't have any real solution for the
problem, they don't acknowledge it.

But, I can't complain since I am currently quite busy doing very interesting
projects that allow me to work remotely (i.e. from home / the café Nero in
Chiswick where I am writing this message) and spend quality time with my 15
month little girl :)

Although it does have some irony the fact that one of my current projects is
a very high profile "Writing Secure Code" 3 and 5 day training course :).
Maybe after the course is delivered the .Net security market will start to
pick up.

If any of you are interested in Asp.Net security, I would invite you to see
the work that I am doing at OWASP (Open Web Application Security Project)
where I have created several Open Source tools which test the security of
Asp.Net hosting environments (see the dotnet section of
http://www.owasp.org) and published quite a lot of information in this

If fact I am just about to start a European Free/Open Source project to
develop an Free/Open Source "Black Box Web Application Security Scanner". I
would like to know your opinion on this, so I when I have the time I will
write a small document which I will post here so that you can comment.

Best regards

Dinis Cruz
.Net Security Consultant

reply via email to

[Prev in Thread] Current Thread [Next in Thread]