I've been thinking about future cities this recent Earth Day. I have children and I'd like to leave them a futuristic Earth that I've always dreamed of. We still don't have flying cars, but today's mobile devices are pretty cool, so I'll call that a wash. I was reading an article about using cisterns for a distributed water collection system. It makes sense for several reasons including energy cost and sustainability. In addition, it provides security for the water supply as there is a source of fresh water close to people who need to consume it. In South Florida, I've seen the same thing with inline generators installed at people's homes. This idea isn't as green as collecting rainwater, but from a security standpoint they are both taking the same approach. The next step is Energy Smart Miami, which provides consumers with a window into their energy consumption as well as communication between the energy grid and endpoints at homes and business to better manage consumption.

Any distributed system, technical, personal or otherwise is going to have some similar characteristics. These systems have distributed decision making and authority for local actors to make decisions without having to contact a central point. This allows local nodes to focus on managing local resources as well as using system resources as necessary. Large organizations (hopefully) act in the same way, providing autonomy to smaller more agile teams, while communicating enough to provide support across a large organization. As technology and communication become cheaper and richer, it makes sense to develop products, organizations, governments, communities and systems that can stand alone and focus on local needs, while being participants in a greater system. Think Global, Act Local.

I have been looking into authentication issues between web servers and application servers, and the system engineer I have been working with introduced me to a great new tool called DelegConfig. This is a ASP.NET web application that you can install on the web server that you are troubleshooting, and test Kerberos delegation and authentication with databases, application servers, and domain controllers. This tool supports IIS 5, 6, 7, and 7.5. The report is easy to understand and lets you see at a glance where you problem is.

Once installed, you open a browser and hit the application and it will check the Kerberos settings for the account the application pool is using. Once you have checked and fixed any of those settings, you can test backend systems as well to make sure your "double-hop" settings are working. There are tests for access to file servers, Active Directory, SQL/SSAS/OLAP, as well as web servers.

Static code analysis can improve software security by looking for common security errors like (SQL/XML/LDAP) injection, Cross Site Scripting (XSS), and more. Generally this is done by looking for malformed queries where malicious input can be injected. The CAT.NET tool from Microsoft goes one better and analyzes the data as it flows from trusted (or untrusted) inputs to output. This is a great QA check as well as a teaching tool for developers to understand where their applications may be vulnerable to attack.

The tool is available as a Visual Studio plugin or command-line tool. It will scan your object code (assemblies) and provide a report for you to review. Microsoft offers a tool to handle XSS attacks known as the Anti-XSS library. For the remainder of the errors, you are on your own to mitigate them.

I was writing some code to search Active Directory with an LDAP query. CAT.NET found this and marked it as a vulnerability for LDAP injection. I made sure to sanitize the input (and decorate the method with a System.Diagnotics.CodeAnalysis.SupressMessage attribute), and it disappeared from the report. This is a great tool to use in a daily build to ensure common security bugs can be eliminated.