Wednesday, 16 December 2009

Security Digest #4

This month's Digest is just a little earlier (and just a little shorter) than usual, because of the holidays...

Get The Best Security You Can Afford

Eric Lippert's blog, Fabulous Adventures In Coding, is often among other things a great source of insight into the way the C# compiler works. That's the chief reason why it's a personal favourite of mine. But as its title suggests, Eric's interests and expertise extend into other areas.

On his last summer holiday, for example, Eric used an incident at an airport to digress into analytic queueing theory. And just this week, he's taken an unexpected diversion into some very basic principles of security systems. Click through to see how RSA cryptosystems can be misapplied, providing an illusion of security - with no substance. And he ends with so many excellent bullet points, that you will cower in fear.

The CAT.NET 2.0 Configuration Analysis Engine

Last month I looked at the InfoSec Assessment & Protection (A&P) Suite, which had just been released. Maqbool Malik has provided a fully detailed guide to the Configuration Analysis Engine of its Code Analysis Tool, CAT.NET v2.0:

And from Channel 9, there's this video of Maqbool Malik and Anil Revuru (RV), from Microsoft Information Security, talking about the new release of this tool:

On Security Error Prevention in Development

Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC is a Microsoft paper discussing Security By Default, one of the core SDL principles. Also, a very instructive account of how the Windows Live Team adopted the ASP.NET MVC framework when developing the services that are included in Windows Live, and how their approach helped to prevent developers from making security errors:

BlueHat v9 Brings the Looking Glass to You

Finally this year, the session and interview videos from BlueHat are now available on the TechNet page:

SMS and other attack vectors on pocket-sized devices were a prominent area of comment this year, somewhat predictably; and equally so, The Cloud, and Software + Services (S+S).

That's all from The Padlock for 2009. Have a Security Strategy, and a Happy new Year!

No comments:

Post a Comment