Security Digest #2

Another collection of minor articles, references, and other resources, relating to computer security generally, and to the Microsoft SDL particularly.

Installing & Using the SDL Process Template

Here's an MSDN video (WMV, 9 minutes and 4 seconds) on how to install the SDL Process Template, followed by a walkthrough on how to start using it in a new project.

The Microsoft SDL Process Template for Visual Studio Team System was created to ease adoption of the SDL by automatically integrating the policy, process and tools of the Security Development Lifecycle v4.1 into Visual Studio Team System 2008.

Ref: http://msdn.microsoft.com/en-us/security/dd819921.aspx.

Most Popular Vulnerabilities!

From Virtual Tech Days, February 18th 2009, comes this combination PowerPoint / live demo presentation by Varun Sharma (Security Engineer, ACE Team, MS Information Security) enumerating and illustrating the top 5 Web App security bugs: Authorization Issues, Clear Text Secrets, Cross-Site Scripting (alone responsible for more than half of all incidents found by the ACE Team in 2008), SQL Injection, and Verbose Error Messages.

The 56.5MB, 68 minute WMV can be downloaded here.

How Do I: Use the SDL Process Template Documentation and Reporting?

This video shows how to use the SDL Process Template document templates and security metrics reporting. The built-in SDL document templates help to jump start the use of the Microsoft SDL. The reporting allows improved visibility into key security risks for the application, and the progress the team is making toward their security goals.

WMV, 5 minutes 17 seconds.

!exploitable Crash Analyzer - MSEC Debugger Extensions

Apparently that's pronounced “bang exploitable” (don't kill the messenger), and it's a Windows debugging extension (Windbg) providing automated crash analysis and security risk assessment.

The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown.

In other words it parses crash logs and gives you two important pieces of information:

• First, it will collate all of your crashes and determine exactly how many there actually are. So for example, out of 60 crash reports, there may only be 2 or 3 actual problems.
• The second thing it does is look at the type of crash and try to determine if the error is something that could be exploited by a malicious hacker. This means that more junior employees can work these bug issues without taking the time of more senior examiners.
  

There is more detailed information about the tool at http://www.microsoft.com/security/msec. Additionally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.

Microsoft SDL - Developer Starter Kit

This month's final quick link is to the July 2009 download of the SDL Starter Kit, which "provides a compilation of baseline developer security training materials on core Microsoft Security Development Lifecycle (SDL) topics."

The topics included, most of which I have covered in a little detail in previous articles, are:

1. secure design principles;
2. secure implementation principles;
3. secure verification principles;
4. SQL injection;
5. cross-site scripting;
6. code analysis;
7. banned application programming interfaces (APIs);
8. buffer overflows;
9. source code annotation language;
10. security code review;
11. compiler defenses;
12. fuzz testing;
13. Microsoft SDL threat modeling principles; and
14. the Microsoft SDL threat modeling tool.

Each set of guidance contains Microsoft Office PowerPoint slides, speaker notes, train-the-trainer audio files, and sample comprehension questions.

That is all.