Patterns and Practices Security Guidance Round'up

J.D. Meier has put together a comprehensive roundup of our patterns & practices security guidance for the Microsoft platform.

This consolidated post with all the relevant security guidance links contains valuable guidance on such topics as:

• Security Engineering
• Application Scenarios and Solutions
• Cheat Sheets
• Checklists
• Security Guidelines
• Security How-To Instructions (these are great!)
  • ASP.NET
  • WCF-Intranet
  • WCF-Extranet

Here are links to the current Patterns & Practices Security Guides:

• Building Secure ASP.NET Applications
• Improving Web Application Security - Threats and Countermeasures
• Improving Web Services Security: Scenarios and Implementation Guidance for WC
• patterns & practices Security Engineering Explained

Key Features of the Guides
Key Features of the guides include:

• Prescriptive guidance.   Prescriptive guidance “prescribes” solutions based on proven practices vs. simply “describe” the problem or solution.   This is possible because rather than just write content, we are a full engineering team (including PM, architect, dev, test, UE, and subject matter experts) that works through the problem space, creating reproductions of the problems and reproductions of the solutions.  Additionally, we partner with internal and external experts in the security space to find and share proven practices.  We partner with SWI/SDL, ACE, MCS, CSS, and product teams, as well as industry experts, Security MVPs, community members, and customers (including Solution Integrators and Enterprises, as well as small/medium businesses.)
• Scenario-Based.   You can’t evaluate design or implementation decisions in a vacuum.   Customer-scenarios provide the backdrop against which we perform our inspections, assessments, and analysis, as well as engineer our prescriptive guidance.  The scenarios provide the context so that we can effectively evaluate and measure effectiveness.  While we have to generalize the guidance to make it more applicable beyond a particular scenario, we try to keep it as specific as possible by focusing on the technical constraints, deployment scenarios, and real-world customer problems to keep it relevant and actionable.
• Framework approach. Rather than a random collection of guidance, the guides the guide provides a framework that chunks up security into logical units to help you integrate security throughout your application life cycle.  One part of the framework is the structure of the prescriptive guidance (checklists, guidelines, how tos, … etc.) and the other part of the framework is the actual security domain, where we chunk up security by actionable hot spots (authentication, authorization, input/data validation, … etc.)
• Frames. The guide uses frames as a “lens” to organize security into a handful of prioritized categories, where your choices heavily affect security success. The frames are based on reviewing hundreds of applications.
• Principles, patterns, and practices. These serve as the foundation for the guide and provide a stable basis for recommendations. They also reflect successful approaches used in the field.
• Modular. Chapters within the guides are designed to be read independently. You do not need to read the guide from beginning to end to get the benefits. Use the parts you need.
• Holistic. Each guide is designed with the end in mind. If you do read a guide from beginning to end, it is organized to fit together. The guide, in its entirety, is better than the sum of its parts.
• Job aids. Each guide provides an architecture and design review to help you evaluate the performance implications of your architecture and design choices early in the life cycle. A code review helps you spot implementation issues. Checklists that capture the key review elements are provided.
• How Tos. Each guide provides a set of step-by-step procedures to help you implement key solutions from the guide.
• Subject matter expertise. Each guide exposes insight from various experts throughout Microsoft and from customers in the field.
• Validation. The guidance is validated internally through testing. Also, extensive reviews have been performed by product, field, and product support teams. Externally, the guidance is validated through community participation and extensive customer feedback cycles.
• What to do, why, how. Each section in the guide presents a set of recommendations. At the start of each section, the guidelines are summarized using bold, bulleted lists. This gives you a snapshot view of the recommendations. Then, each recommendation is expanded upon telling you what to do, why, and how.  “What to do” gives you the recommendation.  “Why” gives you the rationale for the recommendation, helps you understand the issues, and explains any trade-offs you may need to consider.  “How” gives you the implementation details to make the recommendation actionable.

Stay Secure my friends – with the P&P Security Guides!

Technorati Tags: Patterns & Practices