Sunday 22 November 2009

Security Digest #3

Catching up with the latest developments in our favourite MSDN Security Blogs, the SDL and Security Tools.

Two headliners already escaped from this month's Digest and skipped the queue: Volume 7 of the Security Intelligence Report, and Agile SDL. Here's a bunch of smaller announcements and developments for those who just can't get enough of that ol' computer security goodness!


Pirates v Ninjas v Engineers

Threat Modeling is the first port of call in your journey to software security.

Amusement and light entertainment were to be had at the end of October, when the SDL's Adam Shostack declared in favour of Engineers, in their never ending struggle with the Ninjas of Threat Modeling.

What's Ninja Threat Modeling? It's lean, focused, easy to learn, and readily implemented. Cory Scott explains all, while contrasting his arguments with more traditional security development lifecycle approaches - and in particular, taking an occasional swipe or three at Microsoft's history of data-flow diagram & attack tree approaches, and multiple Visio-driven offerings - in this quite comprehensive article from the Matasano Security (developers of Playbook) website:


Adam's articulate and considered reply sets out to compare the two different security methodologies, concluding that the MS-SDL has matured sufficiently to be considered the optimum choice whenever security considerations can be built into a project from the outset. Ninja Threat Models might be of use when an already developed or deployed system needs to be hardened, and admittedly, they do sound more focused and agile than traditional SDL. However they are necessarily less rigorous and less complete. And anyway, the agility factor has now been addressed in other ways.



InfoSec Assessment & Protection

Todd Kutzke, Senior Director of Information Security (InfoSec) at Microsoft, writes here about the InfoSec Assessment & Protection (A&P) Suite that's just been released.

The Assessment Tools include a complete rewrite of the managed code, security source code scanning tool, Code Analysis Tool for .NET (CAT.NET); and the Web Application Configuration Analyzer (WACA), which scans the development environment for various best practices, including: .NET security configuration; IIS settings; SQL Server Security; and miscellaneous settings for permission in Windows.

"Protection Tools" here refers to the Web Protection Library (WPL). This incorporates a diverse set of elements, for example Anti-XSS V3.1 (the Microsoft Anti-Cross Site Scripting Library), and the Security Runtime Engine (SRE).



Finally for this month, Anil Revuru has written the following two useful and quite comprehensive guides, for configuring and running stuff:



Until next time, Keeeeep Dancing!
Eh, no I mean, Have a Security Strategy.

No comments:

Post a Comment