SECSYM: Security Symposium VI

  • Article

Five tools for helping counter security threats:

1.
Threat Modelling Tool. This is a documentation tool to help explore
threat models within a product. At present it is internal only - it was used for the
SQL Server security push. It will be available for external use shortly, probably
on GotDotNet.
2.
Code Access Security. The .NET security model includes the ability
for code to demand certain permissions and refuse other permissions, ensuring that
even if it is compromised it won't be allowed to take advantage of the full system
resources. Security zones restrict the default granted permissions significantly,
depending on the evidence of an application (where it is loaded from, whether it is
signed by a trusted publisher, etc.). ClickOnce deployment allows for extra flexibility
in granting permissions in sandboxed applications: policy decisions can be deferred
to the user.
3.
F5 in a Sandbox. Debugging permissions can be hard, particularly
when you get an "Access Denied" message in a distributed environment. This new feature
in Whidbey helps explore what permissions an application requires to run successfully.
This is particularly significant, given that a Whidbey ClickOnce application is deployed
via a webserver and therefore runs in a fairly restricted sandbox. In Project / Properties
/ Security, you can choose to debug an application in a sandbox, and can request a
privilege escalation from the user to expand the sandbox.
4.
FxCop. Available on
GotDotNet, this tool analyses your code for security errors or indirect logic
errors that can cause errors (amongst other things), and can be extended to work with
custom rules you define.
5.
SafeApps. This is an application written
by @Stake which performs vulnerability scanning against program binaries.

The security symposium was great - loads of useful information and interesting anecdotes;
I came away far better informed about the most pressing issues, but equally alarmed
by how easily you can unwittingly leave a huge hole in an application.

By the way, am I allowed a teensy-weensy little criticism of this session?

<rant>

FOR GOODNESS SAKE - WHAT ON EARTH WERE YOU THINKING IN RUNNING STRAIGHT THROUGH
FROM 8:30am to 12:30pm WITHOUT A SINGLE BREAK? SOME OF US HAVE BLADDERS, YOU KNOW!
:-)

</rant>