Entries tagged with security - Channel 9

Using the Web Protection Library (WPL) - CTP Version

Jossie Tirado — Wed, 25 Nov 2009 00:00:00 GMT

Anil Revuru (RV), from Microsoft Information Security, walks us through the expansion of what used to be the Anti-XSS Library. This enhanced version of the library will introduce mitigation to other attacks like:

SQL Injection
Cross-Site Request Forgery (CSRF)
Setting Enforcement like SSL & HTTP_ONLY cookies
Security Runtime Engine for SQL Injection & XSS
Among others

The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Using Web Application Configuration Analyzer (WACA) - CTP Version

Jossie Tirado — Tue, 24 Nov 2009 23:58:00 GMT

Anil Revuru (RV), from Microsoft Information Security, walks us through a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.

WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Web Application Configuration Analyzer (WACA)

Jossie Tirado — Fri, 20 Nov 2009 22:21:00 GMT

Anil Revuru (RV), from Microsoft Information Security, introduces a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.

WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Assessment and Protection Suite

Jossie Tirado — Thu, 12 Nov 2009 17:21:00 GMT

Anil Revuru (RV) and Mark Curphey, from Microsoft Information Security, introduce what would be in the future a suite of tools that will help you assess your code as well as protect it. This is called the Assessment & Protection (A&P) Suite and it includes the following tools:

Web Protection Library (WPL) – which includes Anti-XSS, SRE, mitigation of SQL Injection, CSRF among others
CAT.NET
Web Application Configuration Analyzer (WACA)
and room for more future add-ons

The CTP (Community Technology Preview) for these tools are available in Microsoft Connect – Information Security Tools. These are currently individual as they shift to one-install.

Read CTP announcement and follow the Security Tools Team blog.

Enhanced Web Protection Library

Jossie Tirado — Thu, 12 Nov 2009 17:21:00 GMT

Anil Revuru (RV), from Microsoft Information Security, introduces the expansion of what used to be the Anti-XSS Library. But web vulnerabilities are not only around Cross-Site Scripting (XSS) attacks. This enhanced version of the library will introduce mitigation to other attacks like:

SQL Injection
Cross-Site Request Forgery (CSRF)
Setting Enforcement like SSL & HTTP_ONLY cookies
Security Runtime Engine for SQL Injection & XSS
Among others

The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Microsoft Security Development Lifecycle (SDL) and Software Security Today

Charles — Fri, 06 Nov 2009 21:49:00 GMT

The Microsoft Security Development Lifecycle (SDL) team recently released two new security tools, BinScope Binary Analyzer and MiniFuzz File Fuzzer, to help you write more secure code. Jeremy Dallman, Michael Howard, and Ivan Medvedev created these tools so we decided to pay them a visit to chat about what these tools do and why they matter. Of course, it's been way too long since Michael Howard has preached to us from his security soapbox so we just had to get him talking about the general state of software security today and where it's going!

For the Microsoft SDL team, SDL is as much a lifestyle as it is a software development lifecycle. Developers, thrive securely so that others may securely thrive. Oh yeah, brothers and sisters. I'm sensing the need for a security soapbox show on 9. We need more preaching. There's still far too many developers writing insecure code. "Reverend" Howard, are you game, sir?

Get BinScope and MiniFuzz on SDL Tool Repository. Please use them!!!

Stay updated on the SDL at:

http://www.microsoft.com/sdl

http://blogs.msdn.com/sdl

Aufzeichnung zum Oktober-TechTalk: Windows 7 – ein Überblick für Entwickler (Teil2)

Jan Schenk — Tue, 03 Nov 2009 18:32:00 GMT

Der Hauptfokus bei Windows 7 wurde auf die weitere Verbesserung der Sicherheit, Zuverlässigkeit und Performance des Betriebssystems gelegt - und auf die größtmögliche Kompatibilität zu Windows Vista , damit bereits bestehende Anwendungen auch in Zukunft laufen. Für Entwickler bietet Windows 7 viele neue Schnittstellen, um Anwendungen mit umfassenderen Funktionen zu versehen, die dem Endbenutzer eine neue Erfahrung im Umgang mit Software ermöglichen.

In dieser TechTalk-Aufzeichnung erklären Oliver Scheer und Peter Kirchner, wie etwa die neue Taskbar genutzt werden kann, indem die Preview-Ansicht gesteuert, Status-Informationen ausgegeben oder die Sprunglisten nach Ihren Wünschen angepasst werden können. Wir zeigen neue Möglichkeiten für die Anpassung von Windows-Diensten, um die Performance des Betriebssystems optimal zu nutzen und demonstrieren die Verwendung der in Windows 7 eingeführten Bibliotheken, um den Zugriff auf Dokumente Ihrer Anwendung zu vereinfachen. Zusätzlich erfährt man, welche Punkte zu beachten sind, um die Kompatibilität Ihrer Anwendung mit Windows 7 sicher zu stellen, wenn diese bereits auf Windows XP oder Windows Vista laufen. Abschließend wird ein Überblick gegeben, welche Änderungen sich im Windows Logo Programm ergeben haben und wie Sie Ihre Anwendung für Windows 7 zertifizieren lassen können.

Allgemeine Information zu den TechTalks:

Die kostenlosen TechTalk-Veranstaltungen sind ein lebendiges Forum zum Wissensaustausch unter Entwicklern und bieten Gelegenheit, "Microsoft zum Anfassen" zu erleben. Microsoft-Experten vermitteln dabei in Vorträgen ihr Wissen und stehen für Diskussionen zur Verfügung. Dabei ist der TechTalk keine überdimensionierte Massenveranstaltung, sondern bietet das angenehme und lockere Umfeld, das den ganz besonderen Reiz eines Entwicklertreffens ausmacht. Alle weiteren Informationen finden Sie unter http://techtalk.ms/

Aufzeichnung zum Oktober-TechTalk: Windows 7 – ein Überblick für Entwickler (Teil 1)

Jan Schenk — Tue, 03 Nov 2009 18:31:00 GMT

Allgemeine Information zu den TechTalks:

Claims-Based Security, Windows Identity Foundation and Dominick Baier

Dariusz Parys — Fri, 09 Oct 2009 05:41:00 GMT

I had the chance to do an interview with security expert Dominick Baier. I visited Dominick and talked with him about Claims, Windows Identity Foundation and his StarterSTS Project hosted on Codeplex.

You can contact Dominick via his blog and you can get more information about the StarterSTS on Codeplex.

Enjoy,
Dariusz

I'm sorry about the video quality after 20 minutes, my camera just broke during recording. Yes this sorts of things just happen when they shouldn't.

Anti-XSS Library v3.1: Find, Fix, and Verify Errors

Jossie Tirado — Wed, 23 Sep 2009 17:20:00 GMT

Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new features on the Anti-XSS Library v3.1 including HTML Sanitization which provides new methods to the Anti-XSS class to strip malicious characters or scripts off of HTML and returns safe HTML.

He talks about:

What is Cross-Site Scripting Attack (XSS)
How to detect Cross Site Scripting Vulnerabilities
Introduction of Anti-XSS Library
What’s new in Anti-XSS Library 3.1
Anti-XSS 3.1 demo
Security Runtime Engine (SRE)
SRE Demo

To learn more about this application and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

Overview of the Anti-XSS Library
Download: Microsoft Anti-Cross Site Scripting Library v3.1

Connected Information Security Framework: Core Components

Jossie Tirado — Wed, 23 Sep 2009 17:19:00 GMT

Marius Grigoriu and Vineet Batta, from Microsoft Information Security, talk about the technical components for the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain the core pieces CISF consists of like: Business Intelligent, Portal, Notification, and others that help build information security applications cheaper, faster, and better

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog

To see an overview of what CISF is watch the video: CISF: Build Custom Security Solutions

CISF CTP download

CISF: Build Custom Security Solutions

Jossie Tirado — Fri, 18 Sep 2009 03:31:00 GMT

Mark Curphey and Marius Grigoriu, from Microsoft Information Security, talk about the release of the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain benefits found on this framework including:

Building information security applications cheaper, faster, and better
Migrate applications efficiently and effectively to their products when they become available

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

CISF CTP download

Expert to Expert: Erik Meijer and Butler Lampson - Abstraction, Security and Embodiment

Charles — Thu, 17 Sep 2009 16:09:00 GMT

This is a very special episode of Expert to Expert. We were very fortunate to get some time with renowned computer scientist and Microsoft Technical Fellow Butler Lampson. Butler's impact on general purpose computing is profound. Personal computing as it exists today is in part the result of the great work done by Butler over the past 30 years.

Programming language designer and high priest of the lamda calculus Erik Meijer hosts this episode of E2E and Erik and Butler cover a very wide swath of computing topics. It's simply beautiful and very deep geekiness. In fact, this is one of my favorite Channel 9 conversations of late. I know you will enjoy both the usual real conversational aspect of this and the depth of historical insight into some of the core aspects and unresolved problems of general purpose personal computing.

Go get some popcorn, stream this into your XBox or Media Center and learn from one of our industry's pioneers who still has a great deal to offer to the world of personal computing. What's Butler working on these days, you wonder? What's top of mind for him as it relates to today's biggest challenges in computing? What does software security really mean? How many levels of software abstraction do we need? Why is data synchronization such a hard problem? What is software embodiment, exactly (Butler will be presenting his thinking on software embodiment at PDC09, as part of the new Technical Leaders track (something yours truly is responsible for - I hope you plan on attending these very special sessions and if not you will be able to watch them right here on Channel 9))?

Tune in and meet a true legend in our industry. Microsoft is very forunate to have Butler Lampson thinking about some of the hardest problems we face as an industry and ensuring that Microsoft is capable of tackling these challenges in a way that extends the solutions for long term relevance in a changing and unpredictable environment.

Glenn Pittaway on SDL

Mike Ormond — Fri, 14 Aug 2009 07:30:00 GMT

I'm posting this on behalf of Andrew Fryer who usually posts to TechNet but today has something developer focused for us:

"Glenn Pittaway the Group Program Manager for the Secure development Lifecycle (SDL) talks about the past present and future of SDL. The SDL methodology is at the core of all development work that has an internet facing element (i.e. virtually everything!) at Microsoft. You might argue that this gives this gives Microsoft developers an edge over the competition as they can write more secure code more quickly, however these same SDL resources are also publicly available so you can adopt the same approach in your organisation."

Internet Explorer 8 named most secure browser [Internet Explorer 8 named most secure browser]

Adam Kinney — Thu, 13 Aug 2009 21:34:00 GMT

Yes, you read that right, Internet Explorer was named by NSS Labs the Most Secure Browser. Giorgio Sardo, our IE Evangelist, fittingly has all the details.

in reply to Internet Explorer 8 named most secure browser

Inside the Active Template Library (ATL) Security Update

Charles — Tue, 28 Jul 2009 17:02:00 GMT

Today, Microsoft announced the details of an out-of-band security update that impacts ATL components and controls (like ActiveX controls, for example) -> Developers who have built controls using vulnerable versions of ATL should take immediate action to review and identify any vulnerabilities, modify and recompile their affected controls and components using the updated versions of ATL and finally distribute a non-vulnerable version of the controls and components to their customers.

Here, Damien Watkins from the VC++ team and Damian Hasse and Jonathan Ness from MSRC Engineering review the steps to identify and address vulnerable controls and components. Of course, being a Channel 9 interview, we dig into various aspects of the problem without veering away from the goal here: helping you understand the exact issues with this vulnerability. If you own a component or control that uses ATL, then you will know what you need to do to prevent a possible attack.

Please visit the URLs below as soon as possible for detailed information on this vulnerability.

Resources discussed in this video are available on MSDN: Active Template Library Security Update and Developers

Detailed technical information on this security release for ATL developers: http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx

Additional information on this security release is available on the Security Research & Defense blog

Overview with background + table of links: http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx

IE mitigation explanation: http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx

Deep dive for developers: http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx

How msvidctl.dll is related: http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx

Michael Howard's perspective on this issue: http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx

SDL-LOB Phase 3: Implementation

Jossie Tirado — Mon, 20 Jul 2009 17:54:00 GMT

The third phase of the SDL-LOB (Security Development Lifecycle for Line-of-Business applications) includes Implementation.

Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities.

Read more on the Implementation Phase here.

Anti-XSS 3.0 Released

Jossie Tirado — Wed, 15 Jul 2009 16:12:00 GMT

Vineet Batta and Anil Revuru (RV), from Microsoft Information Security, talk about the release of the new version of the Anti-XSS library, which is designed to encode output to help developers protect their ASP.NET web-based applications from cross-site scripting attacks.

They explain the new features and benefits found on version 3.0, including:

Extended white list
Better performance
MSDN Style Help documentation
Marked Anti-XSS Output
Security Runtime Engine (SRE)

To learn more about this library read the following blogs from the Security Tools Team blog and previous posts.

Patrice Godefroid - Automated Whitebox Fuzz Testing with SAGE

Peli de Halleux — Tue, 14 Jul 2009 18:29:00 GMT

Patrice Godefroid gives an overview of Automated Whitebox Fuzz Testing, a powerful testing technique applied at Microsoft through a tool called SAGE. Listen how he is working with the SAGE team to 'eradicate all buffer overrun bugs' in Windows...

Read more in this paper or this slide deck.

The Research in Software Engineering team (RiSE) coordinates Microsoft's research in Software Engineering in Redmond, USA.

Silverlight 2 Security

Jossie Tirado — Tue, 14 Jul 2009 00:43:00 GMT

The usage of Silverlight to provide users a rich internet experience continues to increase. As it becomes a key element on our web applications, it is good to keep in mind that it still runs code on the user's machine.

That is why Maqbool Malik, from Microsoft Information Security, describes some key features added on the second version of Silverlight to enhance security.

Among the features discussed, Maqbool talks about XAP files, cross-domain policy files, HTML access, etc.

Threat Modeling LOB Applications with TAM 3.0

Jossie Tirado — Mon, 06 Jul 2009 22:38:00 GMT

Andrew Law, from Microsoft Information Security, walks us through the creation of a threat model for a line-of-business application using the Threat Analysis & Modeling tool version 3.0. This screencast includes the definition and purpose of a threat model as well as its alignment with the SDL-LOB.

Threat Model ownership is discussed as well as the use of the central repository, common task list and how to leverage them to automatically generate threats.

Learn more on the Threat Modeling site & Information Security Tools blog.

SQL Detect

Jossie Tirado — Mon, 06 Jul 2009 19:41:00 GMT

SQL Detect is a SQL injection filter in real-time mode. When a request happens in the application the tool applies different heuristics to the data and tries to identify the attack. After the request is validated it proceeds.

Maqbool Malik, from Microsoft Information Security, describes how this is one of the tools to be included in the to-be-released Security Runtime Engine (SRE).

To learn more about their tools, read the Information Security Tools blog.

Microsoft Security Development Lifecycle Template

Larry Larsen — Thu, 02 Jul 2009 10:45:00 GMT

The Microsoft SDL Process Template is a new process template for Visual Studio Team System intended to ease adoption of the Microsoft Security Development Lifecycle. The template integrates the SDL directly into your software development environment, provides auditable security requirements and status, and demonstrates security return on investment.

I stopped by the Microsoft Security group and spoke with Jeremy Dallman about the SDL, and what it means for developers. The Process Template is free and can be downloaded from www.microsoft.com/SDL/.

Securing REST ful services

ashishjaiman — Tue, 30 Jun 2009 03:02:00 GMT

REST is an acronym for Represntational state transfer, REST defines an architectural style based on a set of constraints for building things the “Web” way.

In this screen cast I will demo how to secure a restful web service using WeServicebHost2Factory and Request Interceptors in WCF Rest Starter Kit. i will implement both Basic Authentication Request Interceptor and also Authorization Header token based authentication.

The demo code is posted here - Code –

http://cid-0666e397c5ca74dd.skydrive.live.com/self.aspx/Screencast/ProjectService.zip

Previous Screencast - http://channel9.msdn.com/posts/ashishjaiman/WCF-35-RESTful-web-service/

Other resources –
http://aspnet.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=24644
http://msdn.microsoft.com/en-us/netframework/cc950529.aspx

Architecture Behind CAT.NET

Jossie Tirado — Mon, 29 Jun 2009 22:24:00 GMT

Ben Livshits, from Microsoft Research, talks about the architecture behind CAT.NET, which is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code.

Ben’s knowledge on static and dynamic dataflow analysis made him a key contributor on the creation of CAT.NET. He walks us through different examples of how the data analysis happens depending on complexity and explains how precision varies.

Learn more about Microsoft Information Security Tools.

www.msinfosec.com