patterns & practices Security Guidance Roundup

This is a comprehensive roundup of our patterns & practices security guidance for the Microsoft platform.   I put it together based on customers looking for our security guidance, but having a hard time finding it.  While you might come across a guide here or a How To there, it can be difficult to see the full map, including the breadth and depth of our security guidance.   This is a simple map. organized by “guidance type” (i.e. Guides, App Scenarios, Checklists, Guidelines, How Tos, … etc.)

Books / Guides (“Blue Books”)
If you’re familiar with IBM Redbooks, then you can think of our guides as Microsoft “Blue Books.”  Our patterns & practices Security Guides provide prescriptive guidance and proven practices for security.   Each guide is a comprehensive collection of principles, patterns, and practices for security.  These are also the same guides used to compete in competitive platform studies.  Here are our patterns & practices Security Guides:

The HTML and PDF version of the guides are available for free on MSDN.  The print versions are available for sale on on Amazon.

For more on the impact of Blue Books for platform success, see The Power of Blue Books for Platform Impact.

Key Features of the Guides
Key Features of the guides include:

  • Prescriptive guidance.   Prescriptive guidance “prescribes” solutions based on proven practices vs. simply “describe” the problem or solution.   This is possible because rather than just write content, we are a full engineering team (including PM, architect, dev, test, UE, and subject matter experts) that works through the problem space, creating reproductions of the problems and reproductions of the solutions.  Additionally, we partner with internal and external experts in the security space to find and share proven practices.  We partner with SWI/SDL, ACE, MCS, CSS, and product teams, as well as industry experts, Security MVPs, community members, and customers (including Solution Integrators and Enterprises, as well as small/medium businesses.)
  • Scenario-Based.   You can’t evaluate design or implementation decisions in a vacuum.   Customer-scenarios provide the backdrop against which we perform our inspections, assessments, and analysis, as well as engineer our prescriptive guidance.  The scenarios provide the context so that we can effectively evaluate and measure effectiveness.  While we have to generalize the guidance to make it more applicable beyond a particular scenario, we try to keep it as specific as possible by focusing on the technical constraints, deployment scenarios, and real-world customer problems to keep it relevant and actionable.
  • Framework approach. Rather than a random collection of guidance, the guides the guide provides a framework that chunks up security into logical units to help you integrate security throughout your application life cycle.  One part of the framework is the structure of the prescriptive guidance (checklists, guidelines, how tos, … etc.) and the other part of the framework is the actual security domain, where we chunk up security by actionable hot spots (authentication, authorization, input/data validation, … etc.)
  • Frames. The guide uses frames as a “lens” to organize security into a handful of prioritized categories, where your choices heavily affect security success. The frames are based on reviewing hundreds of applications.
  • Principles, patterns, and practices. These serve as the foundation for the guide and provide a stable basis for recommendations. They also reflect successful approaches used in the field.
  • Modular. Chapters within the guides are designed to be read independently. You do not need to read the guide from beginning to end to get the benefits. Use the parts you need.
  • Holistic. Each guide is designed with the end in mind. If you do read a guide from beginning to end, it is organized to fit together. The guide, in its entirety, is better than the sum of its parts.
  • Job aids. Each guide provides an architecture and design review to help you evaluate the performance implications of your architecture and design choices early in the life cycle. A code review helps you spot implementation issues. Checklists that capture the key review elements are provided.
  • How Tos. Each guide provides a set of step-by-step procedures to help you implement key solutions from the guide.
  • Subject matter expertise. Each guide exposes insight from various experts throughout Microsoft and from customers in the field.
  • Validation. The guidance is validated internally through testing. Also, extensive reviews have been performed by product, field, and product support teams. Externally, the guidance is validated through community participation and extensive customer feedback cycles.
  • What to do, why, how. Each section in the guide presents a set of recommendations. At the start of each section, the guidelines are summarized using bold, bulleted lists. This gives you a snapshot view of the recommendations. Then, each recommendation is expanded upon telling you what to do, why, and how.  “What to do” gives you the recommendation.  “Why” gives you the rationale for the recommendation, helps you understand the issues, and explains any trade-offs you may need to consider.  “How” gives you the implementation details to make the recommendation actionable.

Security Engineering
To meet your security objectives, security engineering activities must be an integral part of your software development practices. Our patterns & practices Security Engineering builds on, refines, and extends core life cycle practices to create security-specific practices. You can adopt these activities incrementally as you see fit. These security activities are integrated in MSF Agile, available with Visual Studio Team System. This provides tools, guidance, and workflow to help make security a seamless part of your development experience.

Application Scenarios and Solutions

ASP.NET Application Scenarios

WCF (Intranet Application Scenarios)

WCF (Internet Application Scenarios)

Cheat Sheets
A Cheat Sheet present reference information as a quick view.  They are easy to print out and put up on the wall as a quick reference or reminder of key information.  Here are our security Cheat Sheets:

A Checklist present a verification to perform ("what to check for", "how to check" and "how to fix".)  Checklists work hand-in-hand with Guidelines.  Whereas Guidelines are the “what to do”, “why”, and “how”, the Checklist is a distilled set of checks to perform.  Here are our security Checklists:

Our Guidelines present the “what to do”, “why”, and “how”.  Here are our security Guidelines:

Practices at a Glance
Our Practices at a Glance are brief problem and solution pairs that summarize solutions and link to more information.

An Explained article exposes the what and how mechanics (e.g. how things work, basic architecture, design intentions, usage scenarios).  Here are our security Explained articles:

A FAQ article is a collection of frequently asked question related to a technology, product, technique.  They aren’t restricted to high-level questions.  In fact, many of the questions actually cut pretty deep.  Here are our security FAQs:

How Tos
A How To article provides steps to execute an end to end task.  They compliment the Guidelines and Checklists.  While the Guidelines will simply provide a high-level of the “what to do” or a Checklist will simply identify a check to perform, our How Tos actually elaborate and walkthrough the steps to perform it.  Here are our security How Tos:

Security Engineering How Tos


WCF How Tos

Most Recent patterns & practices Security Guidance Work
Most recent patterns & practices security guidance efforts include the following:

My Related Posts

Comments (2)

  1. Sam says:

    Can you provide some reference material on how the per call negotiation works in WCF? I am unable to find a detailed content on how the service credential negotiation works in WCF.

  2. J.D. Meier says:

    @ Sam — I haven't seen anything.  A sequence diagram and a simple write up of the flow would be nice.  You might try posting to the <a href="…/">WCF forum</a> to see if somebody's tackled this.

Skip to main content