29 באפריל 2006
It is no secret that fixing bugs earlier saves a lot of time and money, helps also to meet schedule. Security bugs are no exception. What special about the security bugs is that they can be introduced in very inital stages of app planning that is in architecture and design phase, phase when no single line of code was even written. For example, design can offer identity flow as a parameter in querystring or hidden field - seen that many times. This is a major design security flaw...
21 באפריל 2006
I was asked some time ago on how to get built in group names. Suppose one needs to get the name of System.Security.Principal.WindowsBuiltInRole.PowerUser. Why? Say there is a need to get it right on different platforms - Englsih, German, etc. Back in the days I used reflection to accomplish this:
Type t = typeof(WindowsPrincipal);
int rid = (int)WindowsBuiltInRole.PowerUser;
object args = new object;
args = rid;
string role = (string)t.InvokeMember("_GetRole",
I was just pointed by JD Meier to very, very nice content. That is Developer Highway Code PDF format handbook. It summarizes major Security Engineering activites in one place.
Want to start writing secure code? - start with this.
Very practical, easy to use, well done.
19 באפריל 2006
That's great! If someone already wants to spend her time/money/resources building more secure software then it could be considered already as a great start. To me, application security is not different from other application feature - really it is not. And if you adopt this approach then it is easy to handle it throught the dev projects lifecycle - no matter where the project currently is . If you treat Security as a feature then you can apply your skills of treating any other features, e.g. requirements, designing, building, testing,...
13 באפריל 2006
It all started back in 2002 with BIll Gates' famous memo:
From: Bill Gates Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing
"...Great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security..."
SDL was born, more on it read here. One of the tenets of SDL is that it's integrated tightly into dev process. But is dev process the same with all dev shops, just like at MS? Are these shops posses same security skills and resources?...
10 באפריל 2006
Just wanted to tell you guys that we have three sessions @Teched dedicated to the topic:
Microsoft Secure Software Engineering Process
Threats and Countermeasures in action
First one I am going to present on the first day. The TM session is going to be delivered by someone from corp, and the third one is by partner. Two of presenters presented lately @RSA conference . Want to know more? - stay tuned. More details will come shortly...