First week of MSDN Security Goodness

Monday, March 15, 2004

I just finished up my first week of doing MSDN security briefings for Microsoft. I had a great time with the audiences in Albany, NY and Staten Island, NY. Both audiences were very attentive and asked some great questions. I’m looking forward to this week’s talks in Roanoke, VA, and Charlottesville, VA on Tuesday and Thursday of this week. So if you’re in those areas, and want to learn more about what you can do as a developer to create more secure applications, sign up, and come on down!

Coincidentally, I noticed that my fellow ASPInsider, Paul Glavich, has cobbled together a managed wrapper library for using DPAPI from within managed code. DPAPI is a Win32 encryption library that’s included with later versions of Windows, and we demonstrate using it for encrypting connection strings in the second of the two sessions I give. Here’s Paul’s announcement:

I have written a DPAPI Managed wrapper that was pretty much taken from MSDN examples and had some extra functions added for ease of use (EncryptString, DecryptString). It uses an attribute mechanism to sandbox calls to the unmanaged functions/libraries.

The library can be found here, including full source code.

No big deal but it works well, nothing fancy, although there are rumours it can grow back amputated limbs, however I cannot confirm or deny this... ;-)

[Paul Glavich]

I haven’t used Paul’s library, but I know that DPAPI is a great tool for encrypting those secrets that you have to store (rule #1 of secrets…don’t store a secret if you don’t have to), so you may want to take a look.

More upcoming events I’ll be presenting in this series:

3/22 – Akron, OH
3/25 – Butler, PA (Pittsburgh area)
4/13 – Uniondale, NY
4/15 – Rochester, NY
4/20 – Pensacola, FL
4/22 – Fort Walton Beach, FL
4/27 – Portland, ME
4/29 – Bangor, ME
5/11 – Cumberland, MD
5/12 – Hagerstown, MD
5/13 – Baltimore, MD
5/18 – Richmond, VA
5/19 – Norfolk, VA
6/1 – Allentown, PA
6/2 – North Brunswick, NJ

I’ll get links up for the later events as soon as they’re available…if you’re in one of those areas, please sign up and spend the afternoon learning about developer security.

Well, I look forward to the June 2nd North Brunswick briefing! I have added it to Outlook to remind me to register (about a month in advance should be OK, correct? That session does not have registration info yet).

Doug Reilly - Monday, March 15, 2004 2:21:00 PM

Will be in Charlottesville

Greg Robinson - Monday, March 15, 2004 2:57:00 PM

We wil have to get together when you are in North Brunswick. Its about 5 minutes from my house.

-Scott

Scott - Monday, March 15, 2004 3:10:00 PM

I haven't looked at his, but I was going to write one that follows the code library design guidelines (particularly taking out the all-caps stuff and maybe stuffing the constants into an enum). Did he do that?

Always ironic when MS doesn't follow their own guidelines. :-)

J. Ambrose Little - Friday, March 19, 2004 7:33:00 PM

Ambrose,

I don't know what Paul's library looks like, as I've not looked at it yet. I just wanted to give folks a heads up, since I know that it's a 'good thing' to be able to access DPAPI from managed code.

G. Andrew Duthie - Friday, March 19, 2004 7:43:00 PM

Andrew, I am looking forward to your visit to Allentown, PA. I'll be on the lookout for registration to open.

Terri Morton - Sunday, April 11, 2004 4:15:00 AM

6 Comments