Last week I got to attend the Microsoft Security Summit in Detroit. The event lasted an entire business day, and was broken down into a keynote address followed by four sessions that covered three different tracks: 200 Level Networking, 300 Level Networking and 200 Level Developer. I personally attended all four Developer sessions.
The keynote address was given by Tom Button, VP of the Windows product management group. He gave a dynamic talk and clearly outlined Microsoft’s broad range of security efforts. Most of the focus was on XP and Windows 2003 server. During his presentation there was a demo of XP sp2. It looked good, I need to see more so the XP sp2 RC1 CD that every attendee got will come in handy. Tom laid out an excellent view of Microsoft’s vision of security as well as an overview of all the current intiatives and their future directions.
Of the four Developer sessions, three were OK and one was terrific. Of the three that were OK, much of the material was an overview or shallow demos (it is a 200 Level track). For instance cryptography and and impersonation were explained in the first session, with a demo of installing a SSL certificate and a demo of the authentication options for a web site. The second session covered different types of exploits like buffer overruns and SQL injection with simple demos. It was better than the first session, the speaker was much more excited about the topics and it came across in the presentation.
The third session was a winner. It covered threat modelling in detail, followed by an extensive demo of securing web.config in ASP.Net. The speaker covered a ton of great material there, information that I had to really dig for when I was first trying to secure web.config for my own projects. On top of that, he covered additional information about machine keys that I could really use. The demos in this session were much more in-depth that the previous two.
The last session fell into the pattern of the first two. Much more theoretical and less code.Some of the topics covered included .Net Code security, using the GAC, and using identity and principal objects. The session was better than the first two, but not as in-depth as the third.
Overall, I think Microsoft did an excellent job of presenting a wide range of material at the Summit. Since there was only one Developer track advertised at a 200 level, most of the information was somewhat basic, but if you were new to developing or to .Net it was certainly worthwhile. The speakers included enough advanced material to keep more experienced developers from losing out as well. It’s a difficult balance to strike. For what was promised up front, the Summit delivered.