Channel 9 - Entries tagged with information security

TechNet Radio: Taste of Premier - Cyber Security and How to Protect Your Assets

ChrisCaldwell, TechNet Radio, Lex Thomas — Wed, 01 May 2013 13:00:48 GMT

Lex Thomas welcomes Principal Cyber Security Architect, Michael Howard to the show as they discuss the importance of protecting your applications and datacenter. Tune in as they offer some practical advice and how you can adopt the Security Development Lifecycle (SDL) as well as how you can get started securing your own environment.

[2:29] How important is Cyber Security and what is the Security Development Lifecycle Threat Modeling Tool?
[7:11] What advice do you have for people trying to address their Security concerns?
[12:55] How do I get started with the SDL?

Click here to send your comments or questions to the “Taste of Premier” Podcast show!

__________________________

Experience Microsoft's latest products with these FREE downloads!

Build Your Lab! Download Windows Server 2012, System Center 2012 SP1 and Hyper-V Server 2012 and get the best virtualization platform and private cloud management solution on the market. Try it FREE now!

Don’t Have a Lab? Build Your Lab in the Cloud with Windows Azure Virtual Machines. Try Windows Azure for free with no cost or obligations, and use any OS, language, database or tool. FREE Download

__________________________

If you're interested in learning more about the products or solutions discussed in this episode, click on any of the below links for free, in-depth information:

Websites & Blogs:

Videos:

Follow @technetradio
Become a Fan @ facebook.com/MicrosoftTechNetRadio
Subscribe to our podcast via iTunes, Stitcher, or RSS

TechNet Radio: How Microsoft IT does Infrastructure Protection at Microsoft

ChrisCaldwell, TechNet Radio, Bob Hunt — Wed, 30 Jan 2013 12:00:02 GMT

Bob Hunt welcomes Sr. Security Program Manager, Ashish Popli to the show as they discuss how Microsoft IT protects its critical IT infrastructure. Tune in as they discuss some of the challenges associated with this as well some best practices on what you may want to think about when protecting your IT infrastructure from outages and attacks.

[4:20] What are some of the challenges in protecting critical IT infrastructure?
[5:57] How is your team identifying these security risks?
[9:27] What risk assessments have you completed and what are your plans for the program?
[16:18] What are some best practices you can share with the audience?

If you're interested in learning more about the products or solutions discussed in this episode, click on any of the below links for free, in-depth information:

Resources:

Websites & Blogs:

Virtual Labs:

TechNet Virtual Labs: System Center 2012

Follow @technetradio
Become a Fan @ facebook.com/MicrosoftTechNetRadio
Subscribe to our podcast via iTunes, Stitcher, or RSS

Edge Show 25 - Information Protection with AD RMS

David Tesar — Fri, 11 May 2012 22:29:11 GMT

News:

Technical Interview: At [04:50] David met with Josh Heller, a Product Marketing Manager for Windows Server, to discuss information protection capabilities in Windows Server 2008 R2. We first discussed why it is important to think about protecting your information in the age of Consumerization of IT and then we dove into demos of the following topics:

Active Directory Rights Management (AD RMS) protection with Exchange 2010 transport rules and Office 2010 documents.
Extending AD RMS email and document protection to an iPad
Automatic AD RMS protection for documents in SharePoint 2010
Automatic AD RMS protection for documents on Windows Server 2008 R2 with File classification Infrastructure (FCI)

We finish talking about some of the improvements in Windows Server 2012 around information protection, but more information will given at the hour long session for the Consumerization of IT MSL jumpstart - http://aka.ms/ConsumerIT

Connect with the Edge Team:

Facebook – Twitter

Using the Code Analysis Tool (CAT.NET 2.0) to Identify Security Vulnerabilities

Jossie — Thu, 25 Feb 2010 08:18:00 GMT

Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new version of CAT.NET (Code Analysis Tool for .NET) version 2.0. It is a static analysis tool that uses the Phoenix Compiler and its data flow graph.

Anil walks us through the dataflow rules and how it uses the source sink analysis to determine if there is a vulnerability or not. He also explains how the configuration analysis works and walks through the rules where insecure conditions exist. The demo of the tool shows how the vulnerabilities are detected and how to interpret the results.

To learn more about this application, stay up to date on the latest news by following the Security Tools Team blog.

Watch related webcast
Download: CAT.NET 2.0

Technical Preview for CAT.NET 2.0

Jossie — Fri, 11 Dec 2009 19:32:00 GMT

Maqbool Malik and Anil Revuru (RV), from Microsoft Information Security, talk about the newly designed version of CAT.NET which will be part of the Assessment & Protection (A&P) suite.

CAT.NET is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code. This version is currently a technical preview which works on the command line only though for its release it will be integrated with Visual Studio's UI under the Code Analysis tab. In this interview you can learn all the new features as well as details on how to provide feedback on the tool.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Learn more about this tool by reading examples on how to run it by following the Security Tools Team blog.

Using the Web Protection Library (WPL) - CTP Version

Jossie — Wed, 25 Nov 2009 00:00:00 GMT

Anil Revuru (RV), from Microsoft Information Security, walks us through the expansion of what used to be the Anti-XSS Library. This enhanced version of the library will introduce mitigation to other attacks like:

SQL Injection
Cross-Site Request Forgery (CSRF)
Setting Enforcement like SSL & HTTP_ONLY cookies
Security Runtime Engine for SQL Injection & XSS
Among others

The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Using Web Application Configuration Analyzer (WACA) - CTP Version

Jossie — Tue, 24 Nov 2009 23:58:00 GMT

Anil Revuru (RV), from Microsoft Information Security, walks us through a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.

WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Web Application Configuration Analyzer (WACA)

Jossie — Fri, 20 Nov 2009 22:21:00 GMT

Anil Revuru (RV), from Microsoft Information Security, introduces a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.

WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Assessment and Protection Suite

Jossie — Thu, 12 Nov 2009 17:21:00 GMT

Anil Revuru (RV) and Mark Curphey, from Microsoft Information Security, introduce what would be in the future a suite of tools that will help you assess your code as well as protect it. This is called the Assessment & Protection (A&P) Suite and it includes the following tools:

Web Protection Library (WPL) – which includes Anti-XSS, SRE, mitigation of SQL Injection, CSRF among others
CAT.NET
Web Application Configuration Analyzer (WACA)
and room for more future add-ons

The CTP (Community Technology Preview) for these tools are available in Microsoft Connect – Information Security Tools. These are currently individual as they shift to one-install.

Read CTP announcement and follow the Security Tools Team blog.

Enhanced Web Protection Library

Jossie — Thu, 12 Nov 2009 17:21:00 GMT

Anil Revuru (RV), from Microsoft Information Security, introduces the expansion of what used to be the Anti-XSS Library. But web vulnerabilities are not only around Cross-Site Scripting (XSS) attacks. This enhanced version of the library will introduce mitigation to other attacks like:

SQL Injection
Cross-Site Request Forgery (CSRF)
Setting Enforcement like SSL & HTTP_ONLY cookies
Security Runtime Engine for SQL Injection & XSS
Among others

The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Anti-XSS Library v3.1: Find, Fix, and Verify Errors

Jossie — Wed, 23 Sep 2009 17:20:00 GMT

Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new features on the Anti-XSS Library v3.1 including HTML Sanitization which provides new methods to the Anti-XSS class to strip malicious characters or scripts off of HTML and returns safe HTML.

He talks about:

What is Cross-Site Scripting Attack (XSS)
How to detect Cross Site Scripting Vulnerabilities
Introduction of Anti-XSS Library
What’s new in Anti-XSS Library 3.1
Anti-XSS 3.1 demo
Security Runtime Engine (SRE)
SRE Demo

To learn more about this application and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

Overview of the Anti-XSS Library
Download: Microsoft Anti-Cross Site Scripting Library v3.1

Connected Information Security Framework: Core Components

Jossie — Wed, 23 Sep 2009 17:19:00 GMT

Marius Grigoriu and Vineet Batta, from Microsoft Information Security, talk about the technical components for the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain the core pieces CISF consists of like: Business Intelligent, Portal, Notification, and others that help build information security applications cheaper, faster, and better

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog

To see an overview of what CISF is watch the video: CISF: Build Custom Security Solutions

CISF CTP download

CISF: Build Custom Security Solutions

Jossie — Fri, 18 Sep 2009 03:31:00 GMT

Mark Curphey and Marius Grigoriu, from Microsoft Information Security, talk about the release of the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain benefits found on this framework including:

Building information security applications cheaper, faster, and better
Migrate applications efficiently and effectively to their products when they become available

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

CISF CTP download

SDL-LOB Phase 3: Implementation

Jossie — Mon, 20 Jul 2009 17:54:00 GMT

The third phase of the SDL-LOB (Security Development Lifecycle for Line-of-Business applications) includes Implementation.

Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities.

Read more on the Implementation Phase here.

Anti-XSS 3.0 Released

Jossie — Wed, 15 Jul 2009 16:12:00 GMT

Vineet Batta and Anil Revuru (RV), from Microsoft Information Security, talk about the release of the new version of the Anti-XSS library, which is designed to encode output to help developers protect their ASP.NET web-based applications from cross-site scripting attacks.

They explain the new features and benefits found on version 3.0, including:

Extended white list
Better performance
MSDN Style Help documentation
Marked Anti-XSS Output
Security Runtime Engine (SRE)

To learn more about this library read the following blogs from the Security Tools Team blog and previous posts.

Silverlight 2 Security

Jossie — Tue, 14 Jul 2009 00:43:00 GMT

The usage of Silverlight to provide users a rich internet experience continues to increase. As it becomes a key element on our web applications, it is good to keep in mind that it still runs code on the user's machine.

That is why Maqbool Malik, from Microsoft Information Security, describes some key features added on the second version of Silverlight to enhance security.

Among the features discussed, Maqbool talks about XAP files, cross-domain policy files, HTML access, etc.

Threat Modeling LOB Applications with TAM 3.0

Jossie — Mon, 06 Jul 2009 22:38:00 GMT

Andrew Law, from Microsoft Information Security, walks us through the creation of a threat model for a line-of-business application using the Threat Analysis & Modeling tool version 3.0. This screencast includes the definition and purpose of a threat model as well as its alignment with the SDL-LOB.

Threat Model ownership is discussed as well as the use of the central repository, common task list and how to leverage them to automatically generate threats.

Learn more on the Threat Modeling site & Information Security Tools blog.

SQL Detect

Jossie — Mon, 06 Jul 2009 19:41:00 GMT

SQL Detect is a SQL injection filter in real-time mode. When a request happens in the application the tool applies different heuristics to the data and tries to identify the attack. After the request is validated it proceeds.

Maqbool Malik, from Microsoft Information Security, describes how this is one of the tools to be included in the to-be-released Security Runtime Engine (SRE).

To learn more about their tools, read the Information Security Tools blog.

Architecture Behind CAT.NET

Jossie — Mon, 29 Jun 2009 22:24:00 GMT

Ben Livshits, from Microsoft Research, talks about the architecture behind CAT.NET, which is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code.

Ben’s knowledge on static and dynamic dataflow analysis made him a key contributor on the creation of CAT.NET. He walks us through different examples of how the data analysis happens depending on complexity and explains how precision varies.

Learn more about Microsoft Information Security Tools.

www.msinfosec.com

Threat Analysis & Modeling Tool - TAM 3.0

Jossie — Mon, 29 Jun 2009 20:43:00 GMT

Anil Revuru (RV), from Information Security Tools, provides an overview of the new version of TAM (Threat Analysis & Modeling), an asset-centric tool which uses an objective methodology to analyze applications for threats and define mitigation plans for them. TAM aligns to the SDL-LOB as part of the Design phase.

RV describes the new features in this version, including the online repository for the attack countermeasures, automated use cases creation, composite threats, among others.

Learn more:

Security Design Reviews

Jossie — Wed, 24 Jun 2009 16:07:00 GMT

Security is not something we just add at the end of the implementation phase...it should be baked into the application all the way from design.

Anmol Malhotra, from Microsoft Information Security, provides more than enough reasons why Security Design Reviews make sense and why they are so important...let him walk you through the SDLC phases and how security tasks are found in each step.

To learn more about security on line-of-business applications using the SDL-LOB go here.

ACE's Performance Development Lifecycle for IT (PDL-IT)

Jossie — Fri, 03 Apr 2009 16:29:00 GMT

Microsoft ACE team has been involved in performance testing and tuning of web applications within Microsoft and externally for several years now. Microsoft's Information Security - ACE Performance has been using a methodology which they have now formalized as PDL-IT (Performance Development Lifecycle for IT) which consists of a proactive approach for application performance within the SDLC.

Irfan Chaudhry, Director of InfoSec's ACE Team, explains this methodology after being part of ACE for 8 years and having started as a Performance Analyst himself.

If you want to learn more about PDL-IT, you can read more on the ACE Team blog in a series of posts.