Have to do this from memory, since I was juice-less by this session, and in the mean time I have had dinner and plenty of time to forget details.

Okay, so... basically, .NET 4.0 throws out the old and replaces it with the new is what it comes down to. There is an improved/new sandboxing model that makes it easy to load code into separate AppDomains with restrictive permissions so that untrusted code can be put into its own little prison, even when it is a library used by a trusted application.

Very big gasp of disbelief from the presenter when nobody indicated that they were sand-boxing their third-party code. I must admit I had never considered that as an option, but it really makes sense why that would be a good idea... if you don't write it yourself, and it is a large library, then you really cannot afford a full security audit. This may be something I should have a look into and perhaps apply so that we do not get any unexpected behaviour.

Another gasp when it turned out AntiXSS was not used more than it should be. Turns out there is also a fairly easy way to attach AntiXSS to specific ASP.NET controls without code changes, which is really cool. It is not 100% fool-proof, but as a low-cost (read: a few lines of configuration) partial solution, it is really a crime not to do it.

I am sure there was a lot more in this talk, but that is the essence of what I am taking out of the session with me... now... time to get ready to sleep and go for one more (half) day.