Tuesday, 1 June 2010

Security Digest #9

Seriously, June already?

MSF-Agile + Security Development Lifecycle Process Template for VS 2010

VS 2010 shipped recently. If you've already upgraded, and want to integrate SDL processes into the development environment, then you'll be happy to learn that the MSF-Agile+SDL Process Template for TFS 2010 is now available for download.

MSF-A+SDL is a TFS process template incorporating the SDL for Agile process guidance into the MSF Agile framework. With the MSF-A+SDL template, any code checked into the VSTS repository is analyzed, to ensure it complies with SDL practices. The template also automatically creates security workflow tracking items for manual SDL processes, such as threat modeling, to ensure that these important security activities are not accidentally skipped or forgotten.

New features:
  • Security dashboard giving at-a-glance summary of a project's current security development state;
  • Bugs-By-Origin chart, analyzing effectiveness and return-on-investment of the organization’s security tools;
  • Integrated security bugbar, like that described in the March MSDN Magazine Security Brief, to help non-expert users triage security bugs.
Full details from Bryan Sullivan at the SDL Blog.

Security Runtime Engine : May 2010 Preview now on CodePlex

The CodePlex WPL site now has the May 2010 CTP code only release for the Web Protection Library, and a Word document introducing the new extensibility points for the Security Runtime Engine.

What it doesn't have is binaries. This is a preview, not a production-ready release. Its chief reason to exist is as a kind of request for comments. The Security Tools Team is looking for feedback. The release represents a rewrite of the Security Runtime, and a new way to write plug-ins for it. Rather than simply decide what’s best for users, they want to show us the direction they’re taking, and give us a change to influence it.

Just Published: Silverlight Security Overview

Nick Kramer has officially published his paper on Silverlight Security. As Nick says, there is a lot of information on MSDN about Silverlight and security. However it can be hard to know where to start. This document describes how Silverlight protects end-users from attack by malicious web sites, and how to build a secure Silverlight application.

Nick's treatment gives us the lay of the land, to help orient ourselves, and figure out what details are important. It also gives an introduction to Silverlight's unique security thinking, for example why it's safe to allow sandboxed apps to open files (using the OpenFileDialog and isolated storage).

Here's the 212KB docx:


CERT Releases Basic Fuzzing Framework

(Via threatpost, the Kaspersky Lab Security News Service) Carnegie Mellon University's Computer Emergency Response Team (CERT) has released a "basic fuzzing framework to help identify and eliminate security vulnerabilities from software products". The Basic Fuzzing Framework (BFF), available here, is described as a simplified version of automated "dumb fuzzing" and includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test.

This is the second public release of a fuzz testing tool by CERT. Last year, the group released a tool called Dranzer that lets software developers test ActiveX controls for vulnerabilities before the software is released to the public. Dranzer remains available as an open-source utility.

A full explanation of the Basic Fuzzer Framework is available on the CERT blog.

No Hacking Required

Bernd Marienfeldt, Information Security Officer at LINX (London Internet Exchange), writes a private blog about subjects including IT and security. As a member of the Security Bloggers Network, he regularly covers such topics as Apple and the iPhone, as well as Ubuntu and other Linux flavours.

So it wasn't a complete surprise to see him credited for the discovery of this scoop:

It's a sobering revelation of a frequently recurring theme, namely the misapplication of security technology and the concomitant false sense of security that it engenders.

Bernd's own report upon this research is of course the most authoritative and utterly fascinating version.

That's all from The Padlock for now, so get out there and enjoy the summer - with apologies to my two Brazilian readers. Hey, that's a lot of readers!

No comments:

Post a Comment