IIS 6.0 General

For those of you who have heard a lot about IIS but have never got a chance to try it out, here’s where you could try the lab – http://go.microsoft.com/?linkid=4267491. Here’s some of the things that I discovered: a) Application pools help to isolate applications and to set various performance and security information. Some of…

2

Lesser known feature of SSL validation overrides in .NET

During setup of an SSL connection, the client validates the server’s digital certificate. This is done automatically when the HttpWebRequest class is used with the https protocol.    Now, consider the following scenarios: Custom Security Lesser-than-normal You want the SSL connection to be established even though the SSL server certificate validated has failed. This case…

0

Providing entry points for handling errors in VC++ 2005

The previous version of the C runtime had many flaws in its design. For example, the functions in the older C runtime performed poor or no validation to detect overwriting memory locations. Also, there was no easy way of validating input parameters such as memory locations, checking buffer sizes, ensuring null termination and checking parameters of variadic functions. Visual…

0

My first assignment at Microsoft

I recently completed my first security assignment at Microsoft. The customer needed specific guidance in the use of CryptoAPI. Please visit this link for details.

0

Writing to Registry? Some best-practices…

Use the following best practices when dealing with the Windows registry. Use of registry reduces application portability. Therefore, use only if required. Don’t use the registry as a configuration trash–bin. Don’t store secrets in registry. Encrypt application data stored in the registry. Discourage users from directly editing the registry. Perform input validation on data read…

5

Code signing mini-FAQ

What really is code signing?At a high level, code signing allows you to generate a digital signature for the application binary and then provides a mechanism to carry the signature right to the end user. When the end user invokes the application, the digital signature is verified by the user and the user is able…

2

Cryptography Cognizance for Application Designers and Developers

Here’s the abstract for a whitepaper I am beginning to write –   Cryptography is increasingly emerging as an essential and must-have ammo in the arsenal of application designers and developers. Reliance on cryptography is a critical part of an application’s security strategy and is an unstated yet expected requirement for satisfying the security needs…

1

Understanding ‘padding’ in symmetric key cryptography

Symmetric key algorithms like 3DES, AES etc operate on blocks of input data. For this to happen, the length of the input data must be exactly equal to the block length or an integral multiple of the block length for that algorithm. For example, let us take AES 128-bit encryption. Lets say the block length…

5

Temporary file generation and usage best practices

This article previously appeared at CodeProject.com IntroductionMany applications require to create and maintain temporary files. Often these temporary files are created without the enduser knowing about the same. Security attacks realized due to insecure temporary file management is a critical category of security attacks on software applications. Application developers are required to follow certain security…

2

Welcome

Hi – I am Richard Lewis and am proud to have joined the ACE team at Microsoft. We are heavily into application security – that means we do security code reviews, application threat modeling and a host of allied services.  I joined this team on the 15th of January 2007 and, well, cant seem to…

0