Channel 9 - Entries tagged with sdl-lob

Technical Preview for CAT.NET 2.0

Jossie — Fri, 11 Dec 2009 19:32:00 GMT

Maqbool Malik and Anil Revuru (RV), from Microsoft Information Security, talk about the newly designed version of CAT.NET which will be part of the Assessment & Protection (A&P) suite.

CAT.NET is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code. This version is currently a technical preview which works on the command line only though for its release it will be integrated with Visual Studio's UI under the Code Analysis tab. In this interview you can learn all the new features as well as details on how to provide feedback on the tool.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Learn more about this tool by reading examples on how to run it by following the Security Tools Team blog.

SDL-LOB Phase 3: Implementation

Jossie — Mon, 20 Jul 2009 17:54:00 GMT

The third phase of the SDL-LOB (Security Development Lifecycle for Line-of-Business applications) includes Implementation.

Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities.

Read more on the Implementation Phase here.

Anti-XSS 3.0 Released

Jossie — Wed, 15 Jul 2009 16:12:00 GMT

Vineet Batta and Anil Revuru (RV), from Microsoft Information Security, talk about the release of the new version of the Anti-XSS library, which is designed to encode output to help developers protect their ASP.NET web-based applications from cross-site scripting attacks.

They explain the new features and benefits found on version 3.0, including:

Extended white list
Better performance
MSDN Style Help documentation
Marked Anti-XSS Output
Security Runtime Engine (SRE)

To learn more about this library read the following blogs from the Security Tools Team blog and previous posts.

Threat Modeling LOB Applications with TAM 3.0

Jossie — Mon, 06 Jul 2009 22:38:00 GMT

Andrew Law, from Microsoft Information Security, walks us through the creation of a threat model for a line-of-business application using the Threat Analysis & Modeling tool version 3.0. This screencast includes the definition and purpose of a threat model as well as its alignment with the SDL-LOB.

Threat Model ownership is discussed as well as the use of the central repository, common task list and how to leverage them to automatically generate threats.

Learn more on the Threat Modeling site & Information Security Tools blog.

SQL Detect

Jossie — Mon, 06 Jul 2009 19:41:00 GMT

SQL Detect is a SQL injection filter in real-time mode. When a request happens in the application the tool applies different heuristics to the data and tries to identify the attack. After the request is validated it proceeds.

Maqbool Malik, from Microsoft Information Security, describes how this is one of the tools to be included in the to-be-released Security Runtime Engine (SRE).

To learn more about their tools, read the Information Security Tools blog.

Architecture Behind CAT.NET

Jossie — Mon, 29 Jun 2009 22:24:00 GMT

Ben Livshits, from Microsoft Research, talks about the architecture behind CAT.NET, which is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code.

Ben’s knowledge on static and dynamic dataflow analysis made him a key contributor on the creation of CAT.NET. He walks us through different examples of how the data analysis happens depending on complexity and explains how precision varies.

Learn more about Microsoft Information Security Tools.

www.msinfosec.com

Threat Analysis & Modeling Tool - TAM 3.0

Jossie — Mon, 29 Jun 2009 20:43:00 GMT

Anil Revuru (RV), from Information Security Tools, provides an overview of the new version of TAM (Threat Analysis & Modeling), an asset-centric tool which uses an objective methodology to analyze applications for threats and define mitigation plans for them. TAM aligns to the SDL-LOB as part of the Design phase.

RV describes the new features in this version, including the online repository for the attack countermeasures, automated use cases creation, composite threats, among others.

Learn more:

Security Design Reviews

Jossie — Wed, 24 Jun 2009 16:07:00 GMT

Security is not something we just add at the end of the implementation phase...it should be baked into the application all the way from design.

Anmol Malhotra, from Microsoft Information Security, provides more than enough reasons why Security Design Reviews make sense and why they are so important...let him walk you through the SDLC phases and how security tasks are found in each step.

To learn more about security on line-of-business applications using the SDL-LOB go here.