Security Wiki on Channel9

Today, I cleaned up my Security Wiki on Channel9 at https://channel9.msdn.com/Security The purpose of this Wiki is to let me share information that may not be completely fit and finish like on MSDN.  This comes in handy for a few things: EcoSystem.  It’s a part of my security information ecosystem.  Effectively, I flow information from my…

2

Web Application Security Frame

The Web Application Security Frame is a set of categories you can use to scope security and improve your effectiveness.  It consists of the following categories: Auditing and Logging Authentication Authorization Configuration Management Cryptography Exception Management Input and Data Validation Sensitive Data Session Management We created these categories during Improving Web Application Security to represent two things:1. …

0

Domain Specific Categories

As a software engineer, how do you cope with information overload?  I suggest domain specific categories.  If the basic idea of domain specific languages (DSL) is a software language targeted at a specific area of problems, then domain specific categories (DSC) are an idea to create categories specific to an area of problems. Here’s some…

0

High ROI Engineering Activities

How do you know which techniques to use to shape your software throughout the life cycle?  Start with the high Return On Investment (ROI) activities as a baseline set.  You can always supplement or modify for your scenario.   Most development shops have some variations of the following activities: ·        Design guidelines ·        Architecture and…

1

What Makes a Good Threat Model

While trying to create threat model template for customers, I analyzed many threat models inside and outside Microsoft.  It was insightful to see the patterns of what was useful across threat models and what was noise. A good threat model has the following components: Security objectives.  What must you do vs. what’s nice to do? …

4

High ROI Security Activities

You can create effective security activities based on the high ROI engineering activities: Security design guidelines Security architecture and design review Security code review Security testing Security deployment review Rather than interspersing security in your existing activities, factor security into its own set of activities.  Factoring security into its own workstream of quality control, keeps…

5

Security Approaches That Don’t Work

If it’s not broken, then don’t fix it … The problem is, you may have an approach that isn’t working, or it’s not as efficient as it could be, but you may not even know it.  Let’s take a quick look at some broken approaches and get to the bottom of why they fail.  If…

3

Context Precision

A Web application is not a component is not a desktop application is not a Web service. If I gave you an approach to threat model a Web application, you can probably stretch the rubber band to fit Web services too. You could probably even bend it to work for components or mobile applications. The…

4

Threat Modeling Terms and How To Use Them

I see a lot of confusion over terms when it comes to threat modeling.  The terms matter because they shape focus.  For example if you confuse threats with attacks, you’ve limited what you’re looking for. There are the terms we used when we created our How To Threat Model Web Applications: Asset. An asset is…

1

Security Guidance for .NET 2.0 Index

The following is an index of the patterns & practices Security Guidance released as part of the Security Guidance for .NET 2.0 project.  Short-CutsYou can append SecurityGuidance, SecurityEngineering, or ThreatModeling to http://msdn.com or http://microsoft.com . Security Guidance Index: http://msdn.com/SecurityGuidance Security Engineering: http://msdn.com/SecurityEngineering Threat Modeling: http://msdn.com/ThreatModeling Indexes Security Guidance Index Security Engineering Index Security How To Index Security…

2