31 בדצמבר 2006
When you scheduled for security review meeting be prepared for the above question. Security guys are concerned of Identity Theft/Spoofing Threat.
My suggestion is to go there prepared with the following question list thus saving lots of
How do your end users identify yourself?
User and Password pairs
How credentials sent over the wire (if any)?
Over protected wire (SSL, IPSEC, etc)?
How does your system authenticate your end users?
Custom mechanisms (not the best choice)
How does your application manage credentials that it uses to authenticate itself with downstream servers?
29 בדצמבר 2006
If you publish your code on the internet then first They will use Google CodeSearch. For example, try looking for "initial catalog":
If They are lucky and They have your binaries then Reflector might help looking for juicy hard coded strings but I believe They will chose to get all the strings using simple tool that ships with Windows, FindStr, in conjunction with ILDASM that ships with .Net SDK or Visual Studio
Ildasm.exe secureapp.dll /text | findstr ldstr
IL_000c: ldstr "RegisterUser"
Security pro pleads guilty to USC breach "Security professional Eric McCarty plead guilty in United States District Court in Los Angeles on Tuesday, admitting that he intentionally exploited a flaw in the online student application Web site of the University of Southern California, federal prosecutors said. " "There is a right way to do penetration testing, and there is a wrong way," Zweiback said. "And Mr. McCarty's way was the wrong way, and hopefully this plea sends that message."
I think it is nonsense. These two should not be put next to the other. To me it is the same like "show me the ROI for car insurance", "show me ROI of military and defense budgeting". I definitely like the following which is not about ROI rather about keeping the business: http://www.enterprisestrategygroup.com/ESGPublications/ReportListings.asp?ReportType=briefs The Security Development Lifecycle (SDL). Advantage, Microsoft11/3/2006by Jon OltsikWhen it comes to Microsoft and security, few people ever mention Microsoft’s Security Development Lifecycle (SDL). ESG believes this is an unfortunate omission. The fact is that Microsoft’s commitment to SDL is an area of stealthy security leadership. ESG...
27 בדצמבר 2006
Fully blown tutorial on how to deploy web site AND it's database using new shiny free tool - SQL Server Hosting Toolkit Enjoy! - I did :)
Just finished two Application Security Awareness workshops for major customer. The audience is developers and major idea behind the workshop (two halves days) is to emphasize the security fights one need to manage throughout development lifecycle - NOT just before app deployment. So we had some presentations and then practices where we tried to plan our security for imaginary applications - one Internet and the other intranet, then we've done some code inspections looking for vulnerabilities and best practices. I think it went pretty well - great evals I got back from attendees prove it Enjoyed a lot.
26 בדצמבר 2006
First They will get some network sniffing tool. I am extremely proud MS recently released shiny new NETMON 3 that can be downloaded for FREE here https://connect.microsoft.com/availableconnections.aspx and the team manages very nice blog here http://blogs.technet.com/netmon/default.aspx that explains in very detailed manner how to capture, filter network traffic and even automate all this. After studying all this, first thing I believe They try to sniff HTTP traffic applying proper filter: and looking for juicy information like passwords or business critical information between the frames They've captured: How to get protected? Avoid sending sensitive information over the wire....
25 בדצמבר 2006
Here: Validating Form Input Controls Securing Your Application Monitoring Your Application Cheers
http://msdn.microsoft.com/virtuallabs/teamsystem/ Writing Secure Managed Code with Visual Studio Team System In this lab you will learn to: Fundamental design principles for building secure applications Technologies such as FxCop and code access security To build secure applications using various tools and techniques Take this lab
Of course, my favorite is: