Friday, 25 September 2009

Security Digest

Being a collection of minor articles, references, and other resources, relating to the fascinating world of computer security, often with particular relevance to the Microsoft SDL; and wherein, Channel 9 videos are frequently indicated by the judicious proximal placement of a clickable, widescreen dude shot...

SDL Threat Modeling Tool 3.1

This is Thing One for the Security Software Development Lifecycle: the release of the Threat Modeling Tool, which helps engineers analyze the security of systems "... to find and address design issues early in the software lifecycle".

Have fun! Note that Visio 2007 is required.

Jeremy Dallman on the SDL

The Microsoft SDL Process Template for Visual Studio Team System is intended to ease adoption of the Microsoft Security Development Lifecycle. The template integrates the SDL directly into the software development environment, provides auditable security requirements and status, and demonstrates security return on investment.

Larry Larsen stopped by the Microsoft Security group and spoke with Jeremy Dallman about the SDL, and what it means for developers.

The Process Template is free, and can be downloaded from

SDL-LOB Phase 3: Implementation

Gentle reader, I have been remiss in not yet introducing you to the SDL-LOB. This is: the Microsoft Security Development Lifecycle for Line-Of-Business applications.

LOB applications are a set of critical computer applications that are vital to running an enterprise, such as accounting, human resources (HR), payroll, supply chain management, and resource planning applications. The corresponding SDL guidance is positioned exclusively for LOB applications or Web applications, and not for ISV/rich-client and/or server application development.

Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities.

SQL Detect

In this video, first posted in July 2009, Maqbool Malik of Microsoft Information Security describes aspects of the new Security Runtime Engine (SRE), with particular reference to one of the very clever tools to be included in it: SQL Detect.

This is a real-time mode SQL injection filter. When a request occurs in the application, the tool applies a variety of heuristics to the data, trying to identify possible attacks. Once the request is validated, it is allowed to proceed as normal.

See the Information Security Tools blog for more on such cool tools. Here is one professional website developer's description and assessment of "... a good combination of the Security Runtime Engine and the methods on AntiXss ...", and the Microsoft Anti-Cross Site Scripting Library V3.1 is available here.

Privacy Guidelines

"This document is a set of privacy guidelines for developing software products and services that are based on our internal guidelines and our experience incorporating privacy into the development process."

The SDL is one part security, one part privacy. The user-requested, experience-won "Privacy Guidelines for Developing Software Products and Services" (September 2008, 1.1MB download) addresses privacy as a core topic in its own right, based on the core principle that Customers will be empowered to control the collection, use, and distribution of their personal information.

After an extensive and, necessarily, somewhat legalistic Basic Concepts and Definitions section, the actual guidelines are partitioned into nine example scenarios, covering the range of considerations that we need to be aware of. These include server and software deployment and installation; storage and transfer of personally identifiable and anonymous data, both within and outside the company; and a separate section detailing the special privacy considerations and exceptions necessary when your website is accessed by children.

Live long, and have a Security Strategy.

No comments:

Post a Comment