Hung out today to watch my buddy Zain deliver his Microsoft Across America presentation today. Cool stuff and he did an awesome job (as always)!
So ... some resources that were mentioned out there today:
OWASP (Open Web Application Security Project): www.owasp.org. All kinds of great stuff here.
Houston OWASP Group: http://www.owasp.org/index.php/Houston. David Nester runs this. Great guy ... and great content.
For completeness, two other great resources for security stuff:
Microsoft Security Central: http://www.microsoft.com/security/default.mspx. One place for all kinds of security related content, from end-user to advanced administrator.
MSDN Security Developer Center: http://msdn2.microsoft.com/en-us/security/default.aspx. Good resources for security-conscious devs, including how-to videos and more. Also has a link to Michael Howard's blog where you'll find all kinds of good security stuff. He's one of the authors of Writing Secure Code. And that book changed my life. I am not kidding there. It was eye-opening and terrifying the first time I read it.
When removing all of the modules in IIS 7, it returns an HTTP 401 (Unauthorized). This is different from HTTP 403 (Forbidden). With 401, authentication will make no difference. Here is the raw response:
HTTP/1.1 401 Unauthorized
Date: Fri, 11 Jan 2008 01:51:02 GMT
I got this from Fiddler. Now, why it didn't work for Zain, I can't say. I think he was jinxed.
ASP.NET Membership Provider Stuff
Here's where the Access Providers live: http://msdn2.microsoft.com/en-us/asp.net/aa336558.aspx. There is also a bunch of good stuff for creating providers there. Here's a web cast that goes through it as well: http://www.asp.net/learn/videos/video-189.aspx. And, if you are going to do your own provider, keep your eyes here. I'm going to talk about hashing shortly ... this is the best way to store passwords!
Adding users to ASP.NET membership in code (like when you need to import several thousand records):
There a few overloads for this that have different options (of course). Now ... the other thing that you can do is to create a membership provider that uses the existing database. There's a couple of ways to skin that cat. (Poor kitty!)
I think that's all ... I'm out!