Channel 9 Microsoft http://mschnlnine.vo.llnwd.net/d1/Dev/App_Themes/C9/images/feedimage.png Channel 9 http://channel9.msdn.com/Niners/Jossie/Posts Channel 9 keeps you up to date with the latest news and behind the scenes info from Microsoft that developers love to keep up with. From LINQ to SilverLight – Watch videos and hear about all the cool technologies coming and the people behind them. http://channel9.msdn.com/Niners/Jossie/Posts en Sat, 18 May 2013 13:43:26 GMT Sat, 18 May 2013 13:43:26 GMT Rev9 20 1 25 Using the Code Analysis Tool (CAT.NET 2.0) to Identify Security Vulnerabilities Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new version of CAT.NET (Code Analysis Tool for .NET) version 2.0.  It is a static analysis tool that uses the Phoenix Compiler and its data flow graph.

Anil walks us through the dataflow rules and how it uses the source sink analysis to determine if there is a vulnerability or not. He also explains how the configuration analysis works and walks through the rules where insecure conditions exist. The demo of the tool shows how the vulnerabilities are detected and how to interpret the results.

To learn more about this application, stay up to date on the latest news by following the Security Tools Team blog.

Watch related webcast
Download: CAT.NET 2.0

]]> http://channel9.msdn.com/Blogs/Jossie/Using-the-Code-Analysis-Tool-CATNET-20-to-Identify-Security-Vulnerabilities Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new version of CAT.NET (Code Analysis Tool for .NET) version 2.0.  It is a static analysis tool that uses the Phoenix Compiler and its data flow graph. Anil walks us through the dataflow rules and how it uses the source sink analysis to determine if there is a vulnerability or not. He also explains how the configuration analysis works and walks through the rules where insecure conditions exist. The demo of the tool shows how the vulnerabilities are detected and how to interpret the results.To learn more about this application, stay up to date on the latest news by following the Security Tools Team blog.Watch related webcastDownload: CAT.NET 2.0 522 http://channel9.msdn.com/Blogs/Jossie/Using-the-Code-Analysis-Tool-CATNET-20-to-Identify-Security-Vulnerabilities Thu, 25 Feb 2010 08:18:00 GMT http://channel9.msdn.com/Blogs/Jossie/Using-the-Code-Analysis-Tool-CATNET-20-to-Identify-Security-Vulnerabilities Jossie Jossie 4 http://channel9.msdn.com/Blogs/Jossie/Using-the-Code-Analysis-Tool-CATNET-20-to-Identify-Security-Vulnerabilities/RSS cat.net Information information security infosec Security Tools Technical Preview for CAT.NET 2.0 Microsoft Information Security, talk about the newly designed version of CAT.NET which will be part of the Assessment & Protection (A&P) suite.

CAT.NET is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code. This version is currently a technical preview which works on the command line only though for its release it will be integrated with Visual Studio's UI under the Code Analysis tab. In this interview you can learn all the new features as well as details on how to provide feedback on the tool.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Learn more about this tool by reading examples on how to run it by following the Security Tools Team blog. ]]> http://channel9.msdn.com/Blogs/Jossie/Technical-Preview-for-CATNET-20 Maqbool Malik and Anil Revuru (RV), from Microsoft Information Security, talk about the newly designed version of CAT.NET which will be part of the Assessment & Protection (A&P) suite.CAT.NET is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code. This version is currently a technical preview which works on the command line only though for its release it will be integrated with Visual Studio's UI under the Code Analysis tab. In this interview you can learn all the new features as well as details on how to provide feedback on the tool.The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools. Learn more about this tool by reading examples on how to run it by following the Security Tools Team blog. 1221 http://channel9.msdn.com/Blogs/Jossie/Technical-Preview-for-CATNET-20 Fri, 11 Dec 2009 19:32:00 GMT http://channel9.msdn.com/Blogs/Jossie/Technical-Preview-for-CATNET-20 Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Technical-Preview-for-CATNET-20/RSS cat.net Information information security infosec LOB Simple DirectMedia Layer sdl-lob Security Tools Using the Web Protection Library (WPL) - CTP Version Anil Revuru (RV), from Microsoft Information Security, walks us through the expansion of what used to be the Anti-XSS Library. This enhanced version of the library will introduce mitigation to other attacks like:

  • SQL Injection
  • Cross-Site Request Forgery (CSRF)
  • Setting Enforcement like SSL & HTTP_ONLY cookies
  • Security Runtime Engine for SQL Injection & XSS
  • Among others

The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

]]> http://channel9.msdn.com/Blogs/Jossie/Using-the-Web-Protection-Library-WPL-CTP-Version Anil Revuru (RV), from Microsoft Information Security, walks us through the expansion of what used to be the Anti-XSS Library. This enhanced version of the library will introduce mitigation to other attacks like: SQL Injection Cross-Site Request Forgery (CSRF) Setting Enforcement like SSL & HTTP_ONLY cookies Security Runtime Engine for SQL Injection & XSS Among others The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools. Read CTP announcement and follow the Security Tools Team blog. 656 http://channel9.msdn.com/Blogs/Jossie/Using-the-Web-Protection-Library-WPL-CTP-Version Wed, 25 Nov 2009 00:00:00 GMT http://channel9.msdn.com/Blogs/Jossie/Using-the-Web-Protection-Library-WPL-CTP-Version Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Using-the-Web-Protection-Library-WPL-CTP-Version/RSS Antixss Information information security infosec ist Security Tools wpl Using Web Application Configuration Analyzer (WACA) - CTP Version Microsoft Information Security, walks us through a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.

WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog. ]]> http://channel9.msdn.com/Blogs/Jossie/Web-Application-Configuration-Analizer-WACA Anil Revuru (RV), from Microsoft Information Security, walks us through a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools. Read CTP announcement and follow the Security Tools Team blog. 435 http://channel9.msdn.com/Blogs/Jossie/Web-Application-Configuration-Analizer-WACA Tue, 24 Nov 2009 23:58:00 GMT http://channel9.msdn.com/Blogs/Jossie/Web-Application-Configuration-Analizer-WACA Jossie Jossie 3 http://channel9.msdn.com/Blogs/Jossie/Web-Application-Configuration-Analizer-WACA/RSS Information information security infosec ist Security Tools waca Web Application Configuration Analyzer (WACA) Microsoft Information Security, introduces a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.

WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog. ]]> http://channel9.msdn.com/Blogs/Jossie/Web-Application-Configuration-Analyzer-WACA Anil Revuru (RV), from Microsoft Information Security, introduces a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools. Read CTP announcement and follow the Security Tools Team blog. 943 http://channel9.msdn.com/Blogs/Jossie/Web-Application-Configuration-Analyzer-WACA Fri, 20 Nov 2009 22:21:00 GMT http://channel9.msdn.com/Blogs/Jossie/Web-Application-Configuration-Analyzer-WACA Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Web-Application-Configuration-Analyzer-WACA/RSS Information information security infosec ist Security Tools waca Assessment and Protection Suite Anil Revuru (RV) and Mark Curphey, from Microsoft Information Security, introduce what would be in the future a suite of tools that will help you assess your code as well as protect it. This is called the Assessment & Protection (A&P) Suite and it includes the following tools:

  • Web Protection Library (WPL) – which includes Anti-XSS, SRE, mitigation of SQL Injection, CSRF among others
  • CAT.NET
  • Web Application Configuration Analyzer (WACA)
  • and room for more future add-ons

The CTP (Community Technology Preview) for these tools are available in Microsoft Connect – Information Security Tools. These are currently individual as they shift to one-install.

Read CTP announcement and follow the Security Tools Team blog.

]]> http://channel9.msdn.com/Blogs/Jossie/Assessment-and-Protection-Suite Anil Revuru (RV) and Mark Curphey, from Microsoft Information Security, introduce what would be in the future a suite of tools that will help you assess your code as well as protect it. This is called the Assessment & Protection (A&P) Suite and it includes the following tools: Web Protection Library (WPL) – which includes Anti-XSS, SRE, mitigation of SQL Injection, CSRF among others CAT.NET Web Application Configuration Analyzer (WACA) and room for more future add-ons The CTP (Community Technology Preview) for these tools are available in Microsoft Connect – Information Security Tools. These are currently individual as they shift to one-install.Read CTP announcement and follow the Security Tools Team blog. 1044 http://channel9.msdn.com/Blogs/Jossie/Assessment-and-Protection-Suite Thu, 12 Nov 2009 17:21:00 GMT http://channel9.msdn.com/Blogs/Jossie/Assessment-and-Protection-Suite Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Assessment-and-Protection-Suite/RSS Antixss Information information security infosec ist Security Tools waca wpl Enhanced Web Protection Library Anil Revuru (RV), from Microsoft Information Security, introduces the expansion of what used to be the Anti-XSS Library. But web vulnerabilities are not only around Cross-Site Scripting (XSS) attacks. This enhanced version of the library will introduce mitigation to other attacks like:

  • SQL Injection
  • Cross-Site Request Forgery (CSRF)
  • Setting Enforcement like SSL & HTTP_ONLY cookies
  • Security Runtime Engine for SQL Injection & XSS
  • Among others

The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

]]> http://channel9.msdn.com/Blogs/Jossie/Enhanced-Web-Protection-Library Anil Revuru (RV), from Microsoft Information Security, introduces the expansion of what used to be the Anti-XSS Library. But web vulnerabilities are not only around Cross-Site Scripting (XSS) attacks. This enhanced version of the library will introduce mitigation to other attacks like: SQL Injection Cross-Site Request Forgery (CSRF) Setting Enforcement like SSL & HTTP_ONLY cookies Security Runtime Engine for SQL Injection & XSS Among others The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools. Read CTP announcement and follow the Security Tools Team blog. 928 http://channel9.msdn.com/Blogs/Jossie/Enhanced-Web-Protection-Library Thu, 12 Nov 2009 17:21:00 GMT http://channel9.msdn.com/Blogs/Jossie/Enhanced-Web-Protection-Library Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Enhanced-Web-Protection-Library/RSS Antixss Information information security infosec ist Security Tools wpl Anti-XSS Library v3.1: Find, Fix, and Verify Errors Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new features on the Anti-XSS Library v3.1  including HTML Sanitization which provides new methods to the Anti-XSS class to strip malicious characters or scripts off of HTML and returns safe HTML.

He talks about:

  • What is Cross-Site Scripting Attack (XSS)
  • How to detect Cross Site Scripting Vulnerabilities
  • Introduction of Anti-XSS Library
  • What’s new in Anti-XSS Library 3.1
  • Anti-XSS 3.1 demo
  • Security Runtime Engine (SRE)
  • SRE Demo

To learn more about this application and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

Overview of the Anti-XSS Library
Download: Microsoft Anti-Cross Site Scripting Library v3.1

]]> http://channel9.msdn.com/Blogs/Jossie/Anti-XSS-Library-v31-Find-Fix-and-Verify-Errors Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new features on the Anti-XSS Library v3.1  including HTML Sanitization which provides new methods to the Anti-XSS class to strip malicious characters or scripts off of HTML and returns safe HTML.He talks about: What is Cross-Site Scripting Attack (XSS) How to detect Cross Site Scripting Vulnerabilities Introduction of Anti-XSS Library What’s new in Anti-XSS Library 3.1 Anti-XSS 3.1 demo Security Runtime Engine (SRE) SRE Demo To learn more about this application and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.Overview of the Anti-XSS LibraryDownload: Microsoft Anti-Cross Site Scripting Library v3.1 1311 http://channel9.msdn.com/Blogs/Jossie/Anti-XSS-Library-v31-Find-Fix-and-Verify-Errors Wed, 23 Sep 2009 17:20:00 GMT http://channel9.msdn.com/Blogs/Jossie/Anti-XSS-Library-v31-Find-Fix-and-Verify-Errors Jossie Jossie 9 http://channel9.msdn.com/Blogs/Jossie/Anti-XSS-Library-v31-Find-Fix-and-Verify-Errors/RSS ace ace team Antixss Information information security infosec ist Security Tools Connected Information Security Framework: Core Components Marius Grigoriu and Vineet Batta, from Microsoft Information Security, talk about the technical components for the first version of Connected Information Security Framework (CISF).  A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain the core pieces CISF consists of like: Business Intelligent, Portal, Notification, and others that help build information security applications cheaper, faster, and better

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the  Security Tools Team blog

To see an overview of what CISF is watch the video: CISF: Build Custom Security Solutions

CISF CTP download

]]> http://channel9.msdn.com/Blogs/Jossie/Connected-Information-Security-Framework-Core-Components Marius Grigoriu and Vineet Batta, from Microsoft Information Security, talk about the technical components for the first version of Connected Information Security Framework (CISF).  A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.They explain the core pieces CISF consists of like: Business Intelligent, Portal, Notification, and others that help build information security applications cheaper, faster, and better To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the  Security Tools Team blog To see an overview of what CISF is watch the video: CISF: Build Custom Security Solutions CISF CTP download 1326 http://channel9.msdn.com/Blogs/Jossie/Connected-Information-Security-Framework-Core-Components Wed, 23 Sep 2009 17:19:00 GMT http://channel9.msdn.com/Blogs/Jossie/Connected-Information-Security-Framework-Core-Components Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Connected-Information-Security-Framework-Core-Components/RSS cisf Information information security infosec ist Security Tools CISF: Build Custom Security Solutions Microsoft Information Security, talk about the release of the first version of Connected Information Security Framework (CISF).  A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain benefits found on this framework including:
  • Building information security applications cheaper, faster, and better
  • Migrate applications efficiently and effectively to their products when they become available

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the  Security Tools Team blog. 

CISF CTP download

]]> http://channel9.msdn.com/Blogs/Jossie/CISF-Build-Custom-Security-Solutions Mark Curphey and Marius Grigoriu, from Microsoft Information Security, talk about the release of the first version of Connected Information Security Framework (CISF).  A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.They explain benefits found on this framework including: Building information security applications cheaper, faster, and better Migrate applications efficiently and effectively to their products when they become available To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the  Security Tools Team blog. CISF CTP download 1182 http://channel9.msdn.com/Blogs/Jossie/CISF-Build-Custom-Security-Solutions Fri, 18 Sep 2009 03:31:00 GMT http://channel9.msdn.com/Blogs/Jossie/CISF-Build-Custom-Security-Solutions Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/CISF-Build-Custom-Security-Solutions/RSS cisf Information information security infosec ist Security Tools SDL-LOB Phase 3: Implementation The third phase of the SDL-LOB (Security Development Lifecycle for Line-of-Business applications) includes Implementation.

Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities.

Read more on the Implementation Phase here.
]]> http://channel9.msdn.com/Blogs/Jossie/SDL-LOB-Phase-3-Implementation The third phase of the SDL-LOB (Security Development Lifecycle for Line-of-Business applications) includes Implementation. Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities. Read more on the Implementation Phase here. 1099 http://channel9.msdn.com/Blogs/Jossie/SDL-LOB-Phase-3-Implementation Mon, 20 Jul 2009 17:54:00 GMT http://channel9.msdn.com/Blogs/Jossie/SDL-LOB-Phase-3-Implementation Jossie Jossie 2 http://channel9.msdn.com/Blogs/Jossie/SDL-LOB-Phase-3-Implementation/RSS ace ace team Development Information information security infosec LOB Simple DirectMedia Layer sdl-lob Security Anti-XSS 3.0 Released Vineet Batta and Anil Revuru (RV), from Microsoft Information Security, talk about the release of the new version of the Anti-XSS library, which is designed to encode output to help developers protect their ASP.NET web-based applications from cross-site scripting attacks.

They explain the new features and benefits found on version 3.0, including:

  • Extended white list
  • Better performance
  • MSDN Style Help documentation
  • Marked Anti-XSS Output
  • Security Runtime Engine (SRE)

To learn more about this library read the following blogs from the Security Tools Team blog and previous posts.

]]> http://channel9.msdn.com/Blogs/Jossie/Anti-XSS-30-Released Vineet Batta and Anil Revuru (RV), from Microsoft Information Security, talk about the release of the new version of the Anti-XSS library, which is designed to encode output to help developers protect their ASP.NET web-based applications from cross-site scripting attacks. They explain the new features and benefits found on version 3.0, including: Extended white list Better performance MSDN Style Help documentation Marked Anti-XSS Output Security Runtime Engine (SRE) To learn more about this library read the following blogs from the Security Tools Team blog and previous posts. 1055 http://channel9.msdn.com/Blogs/Jossie/Anti-XSS-30-Released Wed, 15 Jul 2009 16:12:00 GMT http://channel9.msdn.com/Blogs/Jossie/Anti-XSS-30-Released Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Anti-XSS-30-Released/RSS ace ace team Antixss Information information security infosec ist LOB Simple DirectMedia Layer sdl-lob Security Tools Silverlight 2 Security
That is why Maqbool Malik, from Microsoft Information Security, describes some key features added on the second version of Silverlight to enhance security.

Among the features discussed, Maqbool talks about XAP files, cross-domain policy files, HTML access, etc. ]]> http://channel9.msdn.com/Blogs/Jossie/Silverlight-20-Security The usage of Silverlight to provide users a rich internet experience continues to increase. As it becomes a key element on our web applications, it is good to keep in mind that it still runs code on the user's machine. That is why Maqbool Malik, from Microsoft Information Security, describes some key features added on the second version of Silverlight to enhance security. Among the features discussed, Maqbool talks about XAP files, cross-domain policy files, HTML access, etc. 1120 http://channel9.msdn.com/Blogs/Jossie/Silverlight-20-Security Tue, 14 Jul 2009 00:43:00 GMT http://channel9.msdn.com/Blogs/Jossie/Silverlight-20-Security Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Silverlight-20-Security/RSS ace ace team Information information security infosec Security Silverlight 2 Threat Modeling LOB Applications with TAM 3.0 Andrew Law, from Microsoft Information Security, walks us through the creation of a threat model for a line-of-business application using the Threat Analysis & Modeling tool version 3.0. This screencast includes the definition and purpose of a threat model as well as its alignment with the SDL-LOB.

Threat Model ownership is discussed as well as the use of the central repository, common task list and how to leverage them to automatically generate threats.

Learn more on the Threat Modeling site & Information Security Tools blog.

]]> http://channel9.msdn.com/Blogs/Jossie/Threat-Modeling-LOB-Applications-with-TAM-30 Andrew Law, from Microsoft Information Security, walks us through the creation of a threat model for a line-of-business application using the Threat Analysis & Modeling tool version 3.0. This screencast includes the definition and purpose of a threat model as well as its alignment with the SDL-LOB. Threat Model ownership is discussed as well as the use of the central repository, common task list and how to leverage them to automatically generate threats. Learn more on the Threat Modeling site & Information Security Tools blog. 2925 http://channel9.msdn.com/Blogs/Jossie/Threat-Modeling-LOB-Applications-with-TAM-30 Mon, 06 Jul 2009 22:38:00 GMT http://channel9.msdn.com/Blogs/Jossie/Threat-Modeling-LOB-Applications-with-TAM-30 Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Threat-Modeling-LOB-Applications-with-TAM-30/RSS ace ace team Information information security infosec LOB Simple DirectMedia Layer sdl-lob Security tam threat modeling Tools SQL Detect
Maqbool Malik, from Microsoft Information Security, describes how this is one of the tools to be included in the to-be-released Security Runtime Engine (SRE).

To learn more about their tools, read the Information Security Tools blog.

]]> http://channel9.msdn.com/Blogs/Jossie/SQL-Detect SQL Detect is a SQL injection filter in real-time mode. When a request happens in the application the tool applies different heuristics to the data and tries to identify the attack. After the request is validated it proceeds. Maqbool Malik, from Microsoft Information Security, describes how this is one of the tools to be included in the to-be-released Security Runtime Engine (SRE). To learn more about their tools, read the Information Security Tools blog. 734 http://channel9.msdn.com/Blogs/Jossie/SQL-Detect Mon, 06 Jul 2009 19:41:00 GMT http://channel9.msdn.com/Blogs/Jossie/SQL-Detect Jossie Jossie 2 http://channel9.msdn.com/Blogs/Jossie/SQL-Detect/RSS ace ace team Information information security infosec LOB Simple DirectMedia Layer sdl-lob Security sre Tools Architecture Behind CAT.NET Ben Livshits, from Microsoft Research, talks about the architecture behind CAT.NET, which is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF,  XSS among others, within managed code.

Ben’s knowledge on static and dynamic dataflow analysis made him a key contributor on the creation of CAT.NET. He walks us through different examples of how the data analysis happens depending on complexity and explains how precision varies.

Learn more about Microsoft Information Security Tools

www.msinfosec.com 

]]> http://channel9.msdn.com/Blogs/Jossie/Architecture-behind-CATNET Ben Livshits, from Microsoft Research, talks about the architecture behind CAT.NET, which is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF,  XSS among others, within managed code. Ben’s knowledge on static and dynamic dataflow analysis made him a key contributor on the creation of CAT.NET. He walks us through different examples of how the data analysis happens depending on complexity and explains how precision varies. Learn more about Microsoft Information Security Tools.  www.msinfosec.com  1067 http://channel9.msdn.com/Blogs/Jossie/Architecture-behind-CATNET Mon, 29 Jun 2009 22:24:00 GMT http://channel9.msdn.com/Blogs/Jossie/Architecture-behind-CATNET Jossie Jossie 1 http://channel9.msdn.com/Blogs/Jossie/Architecture-behind-CATNET/RSS ace ace team cat.net Information information security infosec LOB RiSE Simple DirectMedia Layer sdl-lob Security Tools Threat Analysis & Modeling Tool - TAM 3.0 Information Security Tools, provides an overview of the new version of TAM (Threat Analysis & Modeling), an asset-centric tool which uses an objective methodology to analyze applications for threats and define mitigation plans for them. TAM aligns to the SDL-LOB as part of the Design phase.

RV describes the new features in this version, including the online repository for the attack countermeasures, automated use cases creation, composite threats, among others.

Learn more:
  1. Microsoft Information Security
  2. TAM Tool Site 
]]> http://channel9.msdn.com/Blogs/Jossie/Thread-Analysis--Modeling-Tool-TAM-30 Anil Revuru (RV), from Information Security Tools, provides an overview of the new version of TAM (Threat Analysis & Modeling), an asset-centric tool which uses an objective methodology to analyze applications for threats and define mitigation plans for them. TAM aligns to the SDL-LOB as part of the Design phase. RV describes the new features in this version, including the online repository for the attack countermeasures, automated use cases creation, composite threats, among others. Learn more: Microsoft Information Security TAM Tool Site  961 http://channel9.msdn.com/Blogs/Jossie/Thread-Analysis--Modeling-Tool-TAM-30 Mon, 29 Jun 2009 20:43:00 GMT http://channel9.msdn.com/Blogs/Jossie/Thread-Analysis--Modeling-Tool-TAM-30 Jossie Jossie 2 http://channel9.msdn.com/Blogs/Jossie/Thread-Analysis--Modeling-Tool-TAM-30/RSS ace ace team Information information security infosec LOB Simple DirectMedia Layer sdl-lob Security tam threat modeling Tools Security Design Reviews baked into the application all the way from design.

Anmol Malhotra, from Microsoft Information Security, provides more than enough reasons why Security Design Reviews make sense and why they are so important...let him walk you through the SDLC phases and how security tasks are found in each step.

To learn more about security on line-of-business applications using the SDL-LOB go here. ]]> http://channel9.msdn.com/Blogs/Jossie/Security-Design-Reviews Security is not something we just add at the end of the implementation phase...it should be baked into the application all the way from design. Anmol Malhotra, from Microsoft Information Security, provides more than enough reasons why Security Design Reviews make sense and why they are so important...let him walk you through the SDLC phases and how security tasks are found in each step. To learn more about security on line-of-business applications using the SDL-LOB go here. 1083 http://channel9.msdn.com/Blogs/Jossie/Security-Design-Reviews Wed, 24 Jun 2009 16:07:00 GMT http://channel9.msdn.com/Blogs/Jossie/Security-Design-Reviews Jossie Jossie 2 http://channel9.msdn.com/Blogs/Jossie/Security-Design-Reviews/RSS ace ace team Information information security infosec LOB Simple DirectMedia Layer sdl-lob Security ACE's Performance Development Lifecycle for IT (PDL-IT) Microsoft ACE team has been involved in performance testing and tuning of web applications within Microsoft and externally for several years now. Microsoft's Information Security - ACE Performance has been using a methodology which they have now formalized as PDL-IT (Performance Development Lifecycle for IT) which consists of a proactive approach for application performance within the SDLC.

Irfan Chaudhry, Director of InfoSec's ACE Team, explains this methodology after being part of ACE for 8 years and having started as a Performance Analyst himself.

If you want to learn more about PDL-IT, you can read more on the ACE Team blog in a series of posts.

]]> http://channel9.msdn.com/Blogs/Jossie/ACEs-Performance-Development-Lifecycle-for-IT-PDL-IT Microsoft ACE team has been involved in performance testing and tuning of web applications within Microsoft and externally for several years now. Microsoft's Information Security - ACE Performance has been using a methodology which they have now formalized as PDL-IT (Performance Development Lifecycle for IT) which consists of a proactive approach for application performance within the SDLC. Irfan Chaudhry, Director of InfoSec's ACE Team, explains this methodology after being part of ACE for 8 years and having started as a Performance Analyst himself. If you want to learn more about PDL-IT, you can read more on the ACE Team blog in a series of posts. 873 http://channel9.msdn.com/Blogs/Jossie/ACEs-Performance-Development-Lifecycle-for-IT-PDL-IT Fri, 03 Apr 2009 16:29:00 GMT http://channel9.msdn.com/Blogs/Jossie/ACEs-Performance-Development-Lifecycle-for-IT-PDL-IT Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/ACEs-Performance-Development-Lifecycle-for-IT-PDL-IT/RSS ace ace team Information information security infosec pdl-it Performance Application Performance Reviews: ACE Team The Assessment Consulting & Engineering (ACE) team, part of the Microsoft Information Security group, assesses the performance of Microsoft applications.  Principal Performance Manager, K.M. Lee, discusses his team's methodology after many years of experience on this area which keeps evolving as technology changes.  K.M. also describes how they have taken their knowledge into the field to Microsoft customers and partners as well as how they are taking the next step by creating performance review tools.

For more information on the tool K.M. mentions, neXpert see: webcast, download

]]> http://channel9.msdn.com/Blogs/Jossie/Application-Performance-Reviews-ACE-Team The Assessment Consulting & Engineering (ACE) team, part of the Microsoft Information Security group, assesses the performance of Microsoft applications.  Principal Performance Manager, K.M. Lee, discusses his team's methodology after many years of experience on this area which keeps evolving as technology changes.  K.M. also describes how they have taken their knowledge into the field to Microsoft customers and partners as well as how they are taking the next step by creating performance review tools. For more information on the tool K.M. mentions, neXpert see: webcast, download 714 http://channel9.msdn.com/Blogs/Jossie/Application-Performance-Reviews-ACE-Team Wed, 04 Mar 2009 01:20:00 GMT http://channel9.msdn.com/Blogs/Jossie/Application-Performance-Reviews-ACE-Team Jossie Jossie 0 http://channel9.msdn.com/Blogs/Jossie/Application-Performance-Reviews-ACE-Team/RSS ace ace team Information infosec nexPert Performance Security