I'm planning the first in the Digital Black Belt Web Cast Series - here is my first pass at the topics.
What do you all think? - The first three are intended to set the stage, but I'll add tools, stats, examples, to keep them interesting.
1.) The Software Security Crisis - Selling Management on the Need to Invest in Secure Software Development.
Everyone knows that software security is a problem, a concern, and a challenge - especially software professionals. Why, then are so many companies still victims of Mal-Tech (Criminal Techie) attacks?
In large part it is because companies still don't want to invest in the time and training it takes to build and run secure software. In this session you'll get the ammunition that you need to convince management that they can save money by spending defensively. You'll get the what's & why's you need in management vocabulary (read dollars and sense, um cents) and you'll learn about the evolving "Secure Culture" at Microsoft Corporation.
You won't want to miss this introduction to the MSDN Digital Black Belt Series as it sets the base line vocabulary for the sessions to come
2.) Building an Intentionally Secure Development Process.
Before the technical Tips & Tricks of Secure Code, we must understand how our organization will design, manage, develop, confirm, and maintain secure software from an organizational lifecycle perspective.
In this session, we'll lay the ground work for the secure development learning to come. We'll discuss organizational considerations, process hierarchy, lifecycle management and support tools. This will be the framework that secure technologies will be organized and insured by.
3.) Developer Security Principals and Guidelines.
We'll begin this session by categorizing Attack Types, explaining how they work, what they do, and giving a real world example. We will then offer profiles of the various types of Mal-Techs - so we can exactly WHO we are up against. Then we'll close by comparing Rich Client, Web Client, and Web Service applications and modeling the functional areas of security concern.
4.) TECH: Protecting Secret Data (Connection Strings, Passwords, etc.)
One of the biggest challenges in designing and developing secure systems is how to store "the data that secures the data". In this session we'll examine secure ways to manage database connection strings and passwords, safe encryption key management, and securing other file based data. Technologies will include .NET Isolated Storage, the DPAPI, System.Excryption, and Biometrics.
5.) Part 1: Defending the Database: The SQL Injection Attack in Detail.
Developers the world over UNDERESTIMATE the SQL Injection Attack. In this session we'll dive deep.
We'll do some live hacks to see the huge danger of SQL Injection, begging with a discussion of how a Mal-Tech might find and approach your box, discover your schema, table, and field names, steal your data, the corrupt your table records, add himself as an administrator, reduce your own admin rights, pollute your network, take over your mail server, shutdown your application (and hide it from your ops people), upload his own wares and OWN YOUR NETWORK.
We'll also look at what it takes prevent such a disaster.
6.) Part 2: Defending the database: Making the right design choices.
After drilling down in to the infamous SQL Injection attack we'll now look at several of the Questions and Answers that face developers concerning the database and security such as, Secure Connections, SQL versus Windows Authentication, user versus role based authentication. EXPs. Managed Stored Procedures, Alerts and Monitors.
7.) Beating the Cracker - Don't let them steal your code.
All programs can be reverse engineered. Maybe they wanna steal your algorithms or code, maybe they just wanna use your application for free, maybe your binaries contain other secrets of great value to the Mal-Tech. Either way, you need to know how this is done and how you can protect your valuable intellectual property. This session will show you what you application might reveal, and how to hide that info from prying eyes.
8.) Social Engineering - and making your software "Fool Resistant".
Great defensive technology is still no match for raw stupidity. Most clever technical attacks begin with some assistance form Social Engineering. In this session we'll define social engineering and review a number of REAL World hacks that began with social engineering efforts. You'll have light bulbs go off when you realize "so THAT's how they got the bits in the door!" After reviewing these Social Engineering lead-ins to technical attacks we'll discuss the kinds of operational and technical functionality that will help mitigate our system's vulnerability to Social Engineering.