Clinic 2806: Microsoft Security Guidance Training for Developers

I'd totally forgotten about this, but Microsoft eLearning has made available, "Clinic 2806: Microsoft Security Guidance Training for Developers"

It's a free on-line clinic that lasts about 6 hours aimed squarely at developers. It covers, among other things:

  • Essentials of Application Security
  • Secure Application Development Practices
  • Security Technologies
  • Secure Development Guidelines
  • Defending Against Memory Issues
  • Defending Against Arithmetic Errors
  • Defending Against Cross-Site Scripting
  • Defending Against SQL Injection
  • Defending Against Canonicalization Issues
  • Defending Against Cryptography Weaknesses
  • Defending Against Unicode Issues
  • Defending Against Denial of Service Attacks
  • Secure Development Process
  • Threat Modeling
  • Risk Mitigation
  • Security Best Practices
  • .NET Framework Security Features (Big section!)      

Comments (7)

  1. AC says:

    It seems that the "free on-line clinic" is something that can’t be read/viewed in any browser or whatever.

    If it’s free, why can’t it be accessible as normal web pages? Anybody knows which in which form these courses are?

  2. Michael Howard says:

    What doesn’t work?

  3. AC says:

    I had to add two sites to "trusted sites" in IE only to get anything and also to log in with my MSDN subscription username to "activate" it, only to discover that the "content" is "animated" (you need flash, media player and activex controls to see it)

    and that the complete transcript of the presentation is unaccessible (you can always get at most a paragraph or two between !@#% animations). The said animations don’t show anyting most of the time, they’re just !@#% annoying. And I read much faster than I can watch unneeded animations.

    When I’m at that subject, the "webcasts" on MSDN (disks and web) are videotaped (.WMV) PowerPoint presentations which I was never able to find in .PPT form. Which is such a pitty since there is also some interesting material about security.

    Please (not you Michael, the powers in charge) give us a normal pages with full transcripts or full .PPT presentations at least as alternative. We are nevertheles the subscribers. Why is that too much to expect?

  4. The SSL certificate is wrong, and brings up an error message. Double clicking the padlock in IE brings up the error message "This type of document doesn’t have a certificate". This could be easily fixed.

    The offline player is an executable, which locks out people behind firewalls run by those who don’t understand how easily such controls are obviated… except by people like me who honor their commitment to not break security policy no matter how stupid it might be.

    The offline player uses ActiveX within IE (again blocked by the corporate proxy and group policy I am forced to use). Of course, this means IE-only, and doesn’t work on Firefox. Flash will work on Firefox if you install it (easily done), but the offline player doesn’t register with Firefox, so you can’t view the content offline with anything but IE. But IE doesn’t allow ActiveX in most corporate lockdowns…

    The offline player offensively installs itself into the startup keys (olpsynch.exe) in the registry without first asking for permission. There is no reason for it to do this except to waste my system’s resources.

    When you install the offline player and Flash 7, a popup page informs you that it has failed to detect that Flash 7 is installed, and refuses to download the content.

    I’m sure the information is valuable, but there’s a few too many hoops to get at it.

    Last year’s Technet DVDs used the Microsoft Presenter add-on, which worked reasonably well, although this locks out Mac and Linux users and doesn’t work in Firefox.

    Best of all would be the plain Powerpoints with embedded narration. This can be used on Mac and PC, and should open in OpenOffice for the Linux people, and would get past corporate group policies which disable ActiveX.

    The PPTs could be saved out to HTML with some loss of fidelity for those who don’t want to find the Powerpoint player for their platform, or those who run Linux but want to learn about best practices. You’ll never convert them to the dark side unless it’s easy for them to access your stuff. 🙂


  5. Also, when you click Synchronize, it brings up "IE 407 Proxy Authentication Required"


    It wouldn’t be the hardest thing in the world for it to do what normal programs do, and offer a username and password to work via the proxy… or even better, use IE’s proxy settings.


Skip to main content