jossie

Web Application Configuration Analyzer (WACA)

Jossie Tirado — Fri, 20 Nov 2009 22:21:00 GMT

Anil Revuru (RV), from Microsoft Information Security, introduces a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.

WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Assessment and Protection Suite

Jossie Tirado — Thu, 12 Nov 2009 17:21:00 GMT

Anil Revuru (RV) and Mark Curphey, from Microsoft Information Security, introduce what would be in the future a suite of tools that will help you assess your code as well as protect it. This is called the Assessment & Protection (A&P) Suite and it includes the following tools:

Web Protection Library (WPL) – which includes Anti-XSS, SRE, mitigation of SQL Injection, CSRF among others
CAT.NET
Web Application Configuration Analyzer (WACA)
and room for more future add-ons

The CTP (Community Technology Preview) for these tools are available in Microsoft Connect – Information Security Tools. These are currently individual as they shift to one-install.

Read CTP announcement and follow the Security Tools Team blog.

Enhanced Web Protection Library

Jossie Tirado — Thu, 12 Nov 2009 17:21:00 GMT

Anil Revuru (RV), from Microsoft Information Security, introduces the expansion of what used to be the Anti-XSS Library. But web vulnerabilities are not only around Cross-Site Scripting (XSS) attacks. This enhanced version of the library will introduce mitigation to other attacks like:

SQL Injection
Cross-Site Request Forgery (CSRF)
Setting Enforcement like SSL & HTTP_ONLY cookies
Security Runtime Engine for SQL Injection & XSS
Among others

The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Anti-XSS Library v3.1: Find, Fix, and Verify Errors

Jossie Tirado — Wed, 23 Sep 2009 17:20:00 GMT

Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new features on the Anti-XSS Library v3.1 including HTML Sanitization which provides new methods to the Anti-XSS class to strip malicious characters or scripts off of HTML and returns safe HTML.

He talks about:

What is Cross-Site Scripting Attack (XSS)
How to detect Cross Site Scripting Vulnerabilities
Introduction of Anti-XSS Library
What’s new in Anti-XSS Library 3.1
Anti-XSS 3.1 demo
Security Runtime Engine (SRE)
SRE Demo

To learn more about this application and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

Overview of the Anti-XSS Library
Download: Microsoft Anti-Cross Site Scripting Library v3.1

Connected Information Security Framework: Core Components

Jossie Tirado — Wed, 23 Sep 2009 17:19:00 GMT

Marius Grigoriu and Vineet Batta, from Microsoft Information Security, talk about the technical components for the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain the core pieces CISF consists of like: Business Intelligent, Portal, Notification, and others that help build information security applications cheaper, faster, and better

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog

To see an overview of what CISF is watch the video: CISF: Build Custom Security Solutions

CISF CTP download

CISF: Build Custom Security Solutions

Jossie Tirado — Fri, 18 Sep 2009 03:31:00 GMT

Mark Curphey and Marius Grigoriu, from Microsoft Information Security, talk about the release of the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain benefits found on this framework including:

Building information security applications cheaper, faster, and better
Migrate applications efficiently and effectively to their products when they become available

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

CISF CTP download

SDL-LOB Phase 3: Implementation

Jossie Tirado — Mon, 20 Jul 2009 17:54:00 GMT

The third phase of the SDL-LOB (Security Development Lifecycle for Line-of-Business applications) includes Implementation.

Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities.

Read more on the Implementation Phase here.

Anti-XSS 3.0 Released

Jossie Tirado — Wed, 15 Jul 2009 16:12:00 GMT

Vineet Batta and Anil Revuru (RV), from Microsoft Information Security, talk about the release of the new version of the Anti-XSS library, which is designed to encode output to help developers protect their ASP.NET web-based applications from cross-site scripting attacks.

They explain the new features and benefits found on version 3.0, including:

Extended white list
Better performance
MSDN Style Help documentation
Marked Anti-XSS Output
Security Runtime Engine (SRE)

To learn more about this library read the following blogs from the Security Tools Team blog and previous posts.

Silverlight 2 Security

Jossie Tirado — Tue, 14 Jul 2009 00:43:00 GMT

The usage of Silverlight to provide users a rich internet experience continues to increase. As it becomes a key element on our web applications, it is good to keep in mind that it still runs code on the user's machine.

That is why Maqbool Malik, from Microsoft Information Security, describes some key features added on the second version of Silverlight to enhance security.

Among the features discussed, Maqbool talks about XAP files, cross-domain policy files, HTML access, etc.

Threat Modeling LOB Applications with TAM 3.0

Jossie Tirado — Mon, 06 Jul 2009 22:38:00 GMT

Andrew Law, from Microsoft Information Security, walks us through the creation of a threat model for a line-of-business application using the Threat Analysis & Modeling tool version 3.0. This screencast includes the definition and purpose of a threat model as well as its alignment with the SDL-LOB.

Threat Model ownership is discussed as well as the use of the central repository, common task list and how to leverage them to automatically generate threats.

Learn more on the Threat Modeling site & Information Security Tools blog.

SQL Detect

Jossie Tirado — Mon, 06 Jul 2009 19:41:00 GMT

SQL Detect is a SQL injection filter in real-time mode. When a request happens in the application the tool applies different heuristics to the data and tries to identify the attack. After the request is validated it proceeds.

Maqbool Malik, from Microsoft Information Security, describes how this is one of the tools to be included in the to-be-released Security Runtime Engine (SRE).

To learn more about their tools, read the Information Security Tools blog.

Architecture Behind CAT.NET

Jossie Tirado — Mon, 29 Jun 2009 22:24:00 GMT

Ben Livshits, from Microsoft Research, talks about the architecture behind CAT.NET, which is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code.

Ben’s knowledge on static and dynamic dataflow analysis made him a key contributor on the creation of CAT.NET. He walks us through different examples of how the data analysis happens depending on complexity and explains how precision varies.

Learn more about Microsoft Information Security Tools.

www.msinfosec.com

Threat Analysis & Modeling Tool - TAM 3.0

Jossie Tirado — Mon, 29 Jun 2009 20:43:00 GMT

Anil Revuru (RV), from Information Security Tools, provides an overview of the new version of TAM (Threat Analysis & Modeling), an asset-centric tool which uses an objective methodology to analyze applications for threats and define mitigation plans for them. TAM aligns to the SDL-LOB as part of the Design phase.

RV describes the new features in this version, including the online repository for the attack countermeasures, automated use cases creation, composite threats, among others.

Learn more:

Security Design Reviews

Jossie Tirado — Wed, 24 Jun 2009 16:07:00 GMT

Security is not something we just add at the end of the implementation phase...it should be baked into the application all the way from design.

Anmol Malhotra, from Microsoft Information Security, provides more than enough reasons why Security Design Reviews make sense and why they are so important...let him walk you through the SDLC phases and how security tasks are found in each step.

To learn more about security on line-of-business applications using the SDL-LOB go here.

ACE's Performance Development Lifecycle for IT (PDL-IT)

Jossie Tirado — Fri, 03 Apr 2009 16:29:00 GMT

Microsoft ACE team has been involved in performance testing and tuning of web applications within Microsoft and externally for several years now. Microsoft's Information Security - ACE Performance has been using a methodology which they have now formalized as PDL-IT (Performance Development Lifecycle for IT) which consists of a proactive approach for application performance within the SDLC.

Irfan Chaudhry, Director of InfoSec's ACE Team, explains this methodology after being part of ACE for 8 years and having started as a Performance Analyst himself.

If you want to learn more about PDL-IT, you can read more on the ACE Team blog in a series of posts.

Application Performance Reviews: ACE Team

Jossie Tirado — Wed, 04 Mar 2009 01:20:00 GMT

The Assessment Consulting & Engineering (ACE) team, part of the Microsoft Information Security group, assesses the performance of Microsoft applications. Principal Performance Manager, K.M. Lee, discusses his team's methodology after many years of experience on this area which keeps evolving as technology changes. K.M. also describes how they have taken their knowledge into the field to Microsoft customers and partners as well as how they are taking the next step by creating performance review tools.

For more information on the tool K.M. mentions, neXpert see: webcast, download