SECSYM: Security Symposium VI


Five tools for helping counter security threats:

  1. Threat Modelling Tool. This is a documentation tool to help explore
    threat models within a product. At present it is internal only – it was used for the
    SQL Server security push. It will be available for external use shortly, probably
    on GotDotNet.
  2. Code Access Security. The .NET security model includes the ability
    for code to demand certain permissions and refuse other permissions, ensuring that
    even if it is compromised it won’t be allowed to take advantage of the full system
    resources. Security zones restrict the default granted permissions significantly,
    depending on the evidence of an application (where it is loaded from, whether it is
    signed by a trusted publisher, etc.). ClickOnce deployment allows for extra flexibility
    in granting permissions in sandboxed applications: policy decisions can be deferred
    to the user.
  3. F5 in a Sandbox. Debugging permissions can be hard, particularly
    when you get an “Access Denied” message in a distributed environment. This new feature
    in Whidbey helps explore what permissions an application requires to run successfully.
    This is particularly significant, given that a Whidbey ClickOnce application is deployed
    via a webserver and therefore runs in a fairly restricted sandbox. In Project / Properties
    / Security, you can choose to debug an application in a sandbox, and can request a
    privilege escalation from the user to expand the sandbox.
  4. FxCop. Available on
    GotDotNet
    , this tool analyses your code for security errors or indirect logic
    errors that can cause errors (amongst other things), and can be extended to work with
    custom rules you define.
  5. SafeApps. This is an application written
    by @Stake which performs vulnerability scanning against program binaries.

The security symposium was great – loads of useful information and interesting anecdotes;
I came away far better informed about the most pressing issues, but equally alarmed
by how easily you can unwittingly leave a huge hole in an application.

By the way, am I allowed a teensy-weensy little criticism of this session?

<rant>
FOR GOODNESS SAKE – WHAT ON EARTH WERE YOU THINKING IN RUNNING STRAIGHT THROUGH
FROM 8:30am to 12:30pm WITHOUT A SINGLE BREAK? SOME OF US HAVE BLADDERS, YOU KNOW!
:-)
</rant>


Comments (0)