Return to
HomePage
About the Project: patterns & practices Security Guidance for .NET Framework 2.0
Summary
This page provides background information on the patterns & practices Application Security Guidance for .NET Framework 2.0 project.
Contents
*
Overview *
Motivation *
Criteria for Success *
Scope *
Approach *
Types of Content *
patterns & practices Developer Center *
Channel9 *
MSDN Developer Centers *
Feedback *
About the Team
Overview
The purpose of this project is to provide world-class security guidance for .NET Framework 2.0 centered around thre following key themes:
* Security engineering
* Application scenarios
* Technical guidance
* Tools integration
Security engineering represents the set of life-cycle activities proven to produce more secure software. Application scenarios represent end-to-end guidance for building and deploying secure software in common user scenarios. Technical guidance represents precise, context-specific guidance to solve particular engineering problems.
Motivation
The motivation for this project is to distill the best engineering practices, secure application scenarios, and technology advice into guidance that you can use to make your applications as secure as possible.
Criteria for Success
Successful content is modular, specific, and accessible. When you have a specific security problem, whether it involves process or technology, you should be able to quickly find guidance that applies to your situation and provides you with the set of steps to solve the problem quickly. This content will also give you a foundation of what a successful security engineering process looks like so that you can fit the specific guidance into a larger framework.
Scope
The first version of the guidance aimed at the .NET Framework 1.1 is currently available on MSDN and covers the following areas:
.NET Framework 1.0
Security Engineering
* Design guidelines for Web applications
* Threat modeling for Web applications
* Architecture and design review for Web applications
* Code review for Web applications
* Deployment review for Web applications
Types of Technical Guidance
* Guidelines
* How Tos
* Explained
* Checklists
Technologies
* Code Access Security
* ASP.NET
* Enterprise Services
* Web Services
* Remoting
* ADO.NET
* SQL Server
* IIS
This content is available at the following locations:
* Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication on MSDN at http://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpMSDN.asp
* Improving Web Application Security: Threats and Countermeasures on MSDN at
http://msdn.com/SecNet
.NET Framework 2.0
The second version of the guidance will improve this by adding information on the following topics:
Security Engineering
* Design guidelines
* Threat modeling for Web applications
* Architecture and design reviews
* Code reviews
* Security testing for Web applications
* Deployment reviews
Types of technical guidance
* Guidelines
* Practices at a Glance
* How Tos
* Explained
* Checklists
* Templates
* Scenarios and Solutions
Technologies
* .NET Framework 2.0
* Code access security (.NET Framework 2.0)
* ASP.NET 2.0
* Web Services (.NET Framework 2.0)
* ADO.NET 2.0
Approach
Along with all the new content, there are new approaches to improving the overall experience, which include:
* Freeze the current guides for .NET Framework 1.1 and supplement the existing guidance with new and improved content.
* All of the new guidance will be composed around the three key themes: Security Engineering, Application Scenarios, and Technical Guidance.
* All the new guidance will target .NET Framework 2.0 and will be loosely coupled modules rather than sequential chapters in a larger guide.
* Modules will build on each other and when composed will become more valuable than the sum of their parts.
* New guidance will be integrated into Microsoft Visual Studio .NET 2005 and supported by integrated development environment (IDE) features in order to bring the approach into the tool.
Types of Content
The following table gives an overview of the content types. The goal is to create a variety of modular guidance that has high context precision. This means that when you have a specific problem, you should be able to find specific guidance that will give you the steps to work through the problem to a successful conclusion. This also means that each of our modules can stand alone or be placed together into a larger whole and that you can use multiple entry-points to get to the guidance you need.
*
Scenarios and Solution. End-to-end application scenarios, focused on key engineering decisions. Organized by application types and problem domain for example, performance and security.
* Example:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch05.asp *
Guidelines. "What to do", "Why", "How"
* Example:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp *
Practices. Nutshell, "what to dos" at varying levels of context
* Example:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMGlance.asp *
Checklists. Pilot’s checklist (noun-verb); rules-based http://msdn.microsoft.com/library/en-us/dnnetsec/html/CL_SecuAsp.asp
*
How Tos. Step-by-step, task-based guidance.
* Example: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000003.asp
*
Explained. "How does it work"; Internals; Design intentions, Usage scenarios
* Example:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetAP04.asp *
Walkthrough. Narrative hand-holding through the activity
* Example:
http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAwalkthrough.asp *
Template. Standardized template to help execute the activity or steps.
Cross-discipline communication tool.
* Example:
http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAtemplate.asp *
At a Glance. Distillation of essential frame or concept, such as a technique, for example, threat modeling.
* Example:
http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAglance.asp *
Cheatsheet. Quick reference for common "look ups" and fast points.
* Example:
http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAcheatsheet.asp
patterns & practices Developer Center
MSDN hosts the published guidance.
See the patterns & practices Developer Center: http://msdn.microsoft.com/practices/
Channel 9
The patterns & practices Security Wiki (http://Channel9.Msdn.Com/Security) hosts emerging trends, pre-release, and behind the scenes information for the enthusiast or expert practitioner. See the raw and unfiltered leading-edge guidance.
In the Channel9 Wiki, you will find emerging practices, guidance for application scenarios, security engineering, threat modeling, technical guidance and more. This is where you have the opportunity to add your unique insight to pre-released guidance.
MSDN Security Developer Centers
The MSDN Developer centers will highlight guidance modules as they are released.
* MSDN Security Developer Center: http://msdn.microsoft.com/Security
* MSDN ASP.NET Developer Center: http://msdn.microsoft.com/ASP.NET
Feedback
For feedback on this project, use either the Wiki or e-mail:
* Wiki. Security guidance feedback page:
http://channel9.msdn.com/wiki/default.aspx/Channel9.SecurityGuidanceFeedback * E-mail. Send e-mail to secguide@microsoft.com.
We are particularly interested in feedback regarding the following:
* Technical issues specific to recommendations
* Usefulness and usability issues
About the Team
Members from this team previously brought you Building Secure ASP.NET Applications: Authentication, Authorization and Secure Communication and Improving Web Application Security: Threats and Countermeasures. See
http://msdn.microsoft.com/SecNet The current team includes:
*
Development team: J.D. Meier, Microsoft; Alex Mackman, CM Consulting; Blaine Wastell, Microsoft; Prashant Bansode, Infosys Technologies Ltd.; Kishore Gopalan, Infosys Technologies Ltd.
*
Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Sameer Tarey, Infosys Technologies Ltd.
*
Edit team: Nelly Delgado, Microsoft Corporation; Sharon Smith; Tina Burden
McGrayne, Linda Werner & Associates, Inc.
*
Release Management: Sanjeev Garg, Microsoft Corporation
Return to
HomePage
WindowsClient: Several WPF Localization questions
Silverlight: Commitments
Mix Online: When Projects Fall Apart
Channel 10: Adding Flip 3D to Windows 7's Taskbar
