Security Wiki on Channel9

Today, I cleaned up my Security Wiki on Channel9 at https://channel9.msdn.com/Security The purpose of this Wiki is to let me share information that may not be completely fit and finish like on MSDN.  This comes in handy for a few things: EcoSystem.  It’s a part of my security information ecosystem.  Effectively, I flow information from my…

2

Web Application Security Frame

The Web Application Security Frame is a set of categories you can use to scope security and improve your effectiveness.  It consists of the following categories: Auditing and Logging Authentication Authorization Configuration Management Cryptography Exception Management Input and Data Validation Sensitive Data Session Management We created these categories during Improving Web Application Security to represent two things:1. …

0

Domain Specific Categories

As a software engineer, how do you cope with information overload?  I suggest domain specific categories.  If the basic idea of domain specific languages (DSL) is a software language targeted at a specific area of problems, then domain specific categories (DSC) are an idea to create categories specific to an area of problems. Here’s some…

0

High ROI Engineering Activities

How do you know which techniques to use to shape your software throughout the life cycle?  Start with the high Return On Investment (ROI) activities as a baseline set.  You can always supplement or modify for your scenario.   Most development shops have some variations of the following activities: ·        Design guidelines ·        Architecture and…

1

What Makes a Good Threat Model

While trying to create threat model template for customers, I analyzed many threat models inside and outside Microsoft.  It was insightful to see the patterns of what was useful across threat models and what was noise. A good threat model has the following components: Security objectives.  What must you do vs. what’s nice to do? …

4