Threat Modeling – "Pen Testing" for your design

29 באפריל 2006

It is no secret that fixing bugs earlier saves a lot of time and money, helps also to meet schedule. Security bugs are no exception. What special about the security bugs is that they can be introduced in very inital stages of app planning that is in architecture and design phase, phase when no single line of code was even written. For example, design can offer identity flow as a parameter in querystring or hidden field - seen that many times. This is a major design security flaw...
תגיות: ,
אין תגובות

Getting builtin group name – then [net fx 1.0] and now [net fx 2.0]

21 באפריל 2006

I was asked some time ago on how to get built in group names. Suppose one needs to get the name of System.Security.Principal.WindowsBuiltInRole.PowerUser. Why? Say there is a need to get it right on different platforms - Englsih, German, etc. Back in the days I used reflection to accomplish this:                                     Type t = typeof(WindowsPrincipal);                                       int rid = (int)WindowsBuiltInRole.PowerUser;                                       object args = new object;                                     args = rid;                                       string role = (string)t.InvokeMember("_GetRole",                                                                         BindingFlags.Static |                                                                         BindingFlags.NonPublic |                                                                        ...
תגיות: ,
אין תגובות

"I do want to write secure code, where do I start?…"

19 באפריל 2006

That's great! If someone already wants to spend her time/money/resources building more secure software then it could be considered already as a great start. To me, application security is not different from other application feature - really it is not. And if you adopt  this approach then it is easy to handle it throught the dev projects lifecycle - no matter where the project currently is . If you treat Security as a feature then you can apply your skills of treating any other features, e.g. requirements, designing, building, testing,...
תגיות: ,
תגובה אחת

Microsoft Secure Development Lifecycle [SDL]

13 באפריל 2006

It all started back in 2002 with BIll Gates' famous memo: From: Bill Gates Sent: Tuesday, January 15, 2002 5:22 PM To: Microsoft and Subsidiaries: All FTE Subject: Trustworthy computing "...Great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security..." SDL was born, more on it read here. One of the tenets of SDL is that it's integrated tightly into dev process. But is dev process the same with all dev shops, just like at MS? Are these shops posses same security skills and resources?...
תגיות: ,
אין תגובות

Application Security @Teched

10 באפריל 2006

Hi! Just wanted to tell you guys that we have three sessions @Teched dedicated to the topic: Microsoft Secure Software Engineering Process Threat Modeling Threats and Countermeasures in action First one I am going to present on the first day. The TM session is going to be delivered by someone from corp, and the third one is by partner. Two of presenters presented lately @RSA conference . Want to know more? - stay tuned. More details will come shortly...
תגיות:
תגובה אחת