Entries tagged with tools - Channel 9

Using the Web Protection Library (WPL) - CTP Version

Jossie Tirado — Wed, 25 Nov 2009 00:00:00 GMT

Anil Revuru (RV), from Microsoft Information Security, walks us through the expansion of what used to be the Anti-XSS Library. This enhanced version of the library will introduce mitigation to other attacks like:

SQL Injection
Cross-Site Request Forgery (CSRF)
Setting Enforcement like SSL & HTTP_ONLY cookies
Security Runtime Engine for SQL Injection & XSS
Among others

The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Using Web Application Configuration Analyzer (WACA) - CTP Version

Jossie Tirado — Tue, 24 Nov 2009 23:58:00 GMT

Anil Revuru (RV), from Microsoft Information Security, walks us through a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.

WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Web Application Configuration Analyzer (WACA)

Jossie Tirado — Fri, 20 Nov 2009 22:21:00 GMT

Anil Revuru (RV), from Microsoft Information Security, introduces a configuration verification tool that will be part of a suite of tools that will help you assess your code as well as protect it. For more info watch the Assessment & Protection (A&P) Suite video.

WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It is helpful for verifying your configuration while unit testing and ensuring there are no issues when the application is in production.

The CTP (Community Technology Preview) for this tool is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Assessment and Protection Suite

Jossie Tirado — Thu, 12 Nov 2009 17:21:00 GMT

Anil Revuru (RV) and Mark Curphey, from Microsoft Information Security, introduce what would be in the future a suite of tools that will help you assess your code as well as protect it. This is called the Assessment & Protection (A&P) Suite and it includes the following tools:

Web Protection Library (WPL) – which includes Anti-XSS, SRE, mitigation of SQL Injection, CSRF among others
CAT.NET
Web Application Configuration Analyzer (WACA)
and room for more future add-ons

The CTP (Community Technology Preview) for these tools are available in Microsoft Connect – Information Security Tools. These are currently individual as they shift to one-install.

Read CTP announcement and follow the Security Tools Team blog.

Enhanced Web Protection Library

Jossie Tirado — Thu, 12 Nov 2009 17:21:00 GMT

Anil Revuru (RV), from Microsoft Information Security, introduces the expansion of what used to be the Anti-XSS Library. But web vulnerabilities are not only around Cross-Site Scripting (XSS) attacks. This enhanced version of the library will introduce mitigation to other attacks like:

SQL Injection
Cross-Site Request Forgery (CSRF)
Setting Enforcement like SSL & HTTP_ONLY cookies
Security Runtime Engine for SQL Injection & XSS
Among others

The CTP (Community Technology Preview) is available in Microsoft Connect – Information Security Tools.

Read CTP announcement and follow the Security Tools Team blog.

Microsoft Security Development Lifecycle (SDL) and Software Security Today

Charles — Fri, 06 Nov 2009 21:49:00 GMT

The Microsoft Security Development Lifecycle (SDL) team recently released two new security tools, BinScope Binary Analyzer and MiniFuzz File Fuzzer, to help you write more secure code. Jeremy Dallman, Michael Howard, and Ivan Medvedev created these tools so we decided to pay them a visit to chat about what these tools do and why they matter. Of course, it's been way too long since Michael Howard has preached to us from his security soapbox so we just had to get him talking about the general state of software security today and where it's going!

For the Microsoft SDL team, SDL is as much a lifestyle as it is a software development lifecycle. Developers, thrive securely so that others may securely thrive. Oh yeah, brothers and sisters. I'm sensing the need for a security soapbox show on 9. We need more preaching. There's still far too many developers writing insecure code. "Reverend" Howard, are you game, sir?

Get BinScope and MiniFuzz on SDL Tool Repository. Please use them!!!

Stay updated on the SDL at:

http://www.microsoft.com/sdl

http://blogs.msdn.com/sdl

Anti-XSS Library v3.1: Find, Fix, and Verify Errors

Jossie Tirado — Wed, 23 Sep 2009 17:20:00 GMT

Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new features on the Anti-XSS Library v3.1 including HTML Sanitization which provides new methods to the Anti-XSS class to strip malicious characters or scripts off of HTML and returns safe HTML.

He talks about:

What is Cross-Site Scripting Attack (XSS)
How to detect Cross Site Scripting Vulnerabilities
Introduction of Anti-XSS Library
What’s new in Anti-XSS Library 3.1
Anti-XSS 3.1 demo
Security Runtime Engine (SRE)
SRE Demo

To learn more about this application and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

Overview of the Anti-XSS Library
Download: Microsoft Anti-Cross Site Scripting Library v3.1

Connected Information Security Framework: Core Components

Jossie Tirado — Wed, 23 Sep 2009 17:19:00 GMT

Marius Grigoriu and Vineet Batta, from Microsoft Information Security, talk about the technical components for the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain the core pieces CISF consists of like: Business Intelligent, Portal, Notification, and others that help build information security applications cheaper, faster, and better

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog

To see an overview of what CISF is watch the video: CISF: Build Custom Security Solutions

CISF CTP download

CISF: Build Custom Security Solutions

Jossie Tirado — Fri, 18 Sep 2009 03:31:00 GMT

Mark Curphey and Marius Grigoriu, from Microsoft Information Security, talk about the release of the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain benefits found on this framework including:

Building information security applications cheaper, faster, and better
Migrate applications efficiently and effectively to their products when they become available

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

CISF CTP download

Inside Windows 7: RADAR - Windows Automatic Memory Leak Detection

Charles — Tue, 15 Sep 2009 15:29:00 GMT

RADAR is a memory leak detection technology built into Windows 7 and integrated with Watson (error reporting) and AutoBug (automatic bug filing). It allows Microsoft product teams and third parties to discover and fix memory leaks early in the product cycle and after release. Since RADAR runs on customer machines, leaks can be caught during public betas, after release, and by third parties, thus ridding the entire ecosystem of memory leaks. RADAR-shipped components are highly optimized to have no appreciable performance impact.

Meet RADAR developers Stephan Doll, Baskar Sridharan, Anthony Lorelli‎ and Keshava Subramanya. They dig into the architecture, design and implementation of this great technology. RADAR helps make Windows more reliable and stable by automatically pinpointing memory leaks in code that are then packaged up in bug reports that land in the hands of developers responsible for the memory leaking code. This means quicker to market solutions and knowledge gain that will prevent the same bugs from cropping up again: developers learn what went wrong and why so wthey won't make the same mistakes again. You'll learn about the most common mistakes made and you should use this to prevent memory leaks in your own native code.

Tune in. Learn.

Anti-XSS 3.0 Released

Jossie Tirado — Wed, 15 Jul 2009 16:12:00 GMT

Vineet Batta and Anil Revuru (RV), from Microsoft Information Security, talk about the release of the new version of the Anti-XSS library, which is designed to encode output to help developers protect their ASP.NET web-based applications from cross-site scripting attacks.

They explain the new features and benefits found on version 3.0, including:

Extended white list
Better performance
MSDN Style Help documentation
Marked Anti-XSS Output
Security Runtime Engine (SRE)

To learn more about this library read the following blogs from the Security Tools Team blog and previous posts.

Threat Modeling LOB Applications with TAM 3.0

Jossie Tirado — Mon, 06 Jul 2009 22:38:00 GMT

Andrew Law, from Microsoft Information Security, walks us through the creation of a threat model for a line-of-business application using the Threat Analysis & Modeling tool version 3.0. This screencast includes the definition and purpose of a threat model as well as its alignment with the SDL-LOB.

Threat Model ownership is discussed as well as the use of the central repository, common task list and how to leverage them to automatically generate threats.

Learn more on the Threat Modeling site & Information Security Tools blog.

SQL Detect

Jossie Tirado — Mon, 06 Jul 2009 19:41:00 GMT

SQL Detect is a SQL injection filter in real-time mode. When a request happens in the application the tool applies different heuristics to the data and tries to identify the attack. After the request is validated it proceeds.

Maqbool Malik, from Microsoft Information Security, describes how this is one of the tools to be included in the to-be-released Security Runtime Engine (SRE).

To learn more about their tools, read the Information Security Tools blog.

Architecture Behind CAT.NET

Jossie Tirado — Mon, 29 Jun 2009 22:24:00 GMT

Ben Livshits, from Microsoft Research, talks about the architecture behind CAT.NET, which is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code.

Ben’s knowledge on static and dynamic dataflow analysis made him a key contributor on the creation of CAT.NET. He walks us through different examples of how the data analysis happens depending on complexity and explains how precision varies.

Learn more about Microsoft Information Security Tools.

www.msinfosec.com

Threat Analysis & Modeling Tool - TAM 3.0

Jossie Tirado — Mon, 29 Jun 2009 20:43:00 GMT

Anil Revuru (RV), from Information Security Tools, provides an overview of the new version of TAM (Threat Analysis & Modeling), an asset-centric tool which uses an objective methodology to analyze applications for threats and define mitigation plans for them. TAM aligns to the SDL-LOB as part of the Design phase.

RV describes the new features in this version, including the online repository for the attack countermeasures, automated use cases creation, composite threats, among others.

Learn more:

Tool Shed Tooltip #7: VSTO from Episode 1

Russell Fustino — Thu, 18 Jun 2009 15:59:00 GMT

It makes sense if users in your organization are using Office 2007 or 2003 to consider building your application on top of one of the many office products. Learn how in this video.

What is it?
Visual Studio Tools for Office is the premiere development tool for building Office Business Applications.

Download Site: included with VS 2008 Pro at msdn.microsoft.com/vstudio

Example Problem(s) it solves:
You want to automate a task in Excel for budget info that stores info to a DB and creates an email or Power Point from it automatically
Enhance Word s ribbon with your own companies customized set of tools.

Installation Notes: You need to have office 2007 installed on your development machine. Trial is available.

This clip is Russ' Tool Shed Tooltip #7, the seventh and final of the clips from Episode One of the TV Show, Russ' Tool Shed presents... It's All About The Tools hosted by Russ Fustino and Co-Host Stan Schultes. Download code, ppt and demo script from http://code.msdn.com/toolshed for all episodes. Also, use the links on http://channel9.msdn.com/toolshed to download tools. Finally, check out some more great videos on the Developer Evangelist East site: http://channel9.msdn.com/dpeeast

Tool Shed Tooltip #6: WPF Styling from Episode 1

Russell Fustino — Wed, 17 Jun 2009 14:19:00 GMT

Check this one out. WPF Application Styling (without any code!). Yikes! See the World premier demo of this great third party tool from Infrgistics. In my opinion, this was the coolest demo in Episode 1. See Microsoft MVP Jason Beres in action as the guest presenter for this awesome demo!

What is it?
No-code, no-visual designer way to style WPF applications.

Download Site:
Styling CTP: http://www.infragistics.com/wpfstyling
Free WPF Datagrid: http://www.infragistics.com/downloads/

Example Problem(s) it solves:
Brings hi-fidelity, professional styling to WPF applications for teams that do not have visual designers on staff
Makes your WPF applications sizzle!

Installation Notes:
Download and install NetAdvantage Win Client: http://www.infragistics.com/downloads/default.aspx

Download CTP from early adopter website: http://www.infragistics.com/wpfstyling

Usage Notes: Currently in CTP.

This clip is Russ' Tool Shed Tooltip #6, the sixth of the clips from Episode One of the TV Show, Russ' Tool Shed presents... It's All About The Tools hosted by Russ Fustino and Co-Host Stan Schultes. Download code, ppt and demo script from http://code.msdn.com/toolshed for all episodes. Also, use the links on http://channel9.msdn.com/toolshed to download tools. Finally, check out some more great videos on the Developer Evangelist East site: http://channel9.msdn.com/dpeeast

Tool Shed Tooltip #5: Windows Live SkyDrive from Episode 1

Russell Fustino — Tue, 16 Jun 2009 14:16:00 GMT

Need extra storage? How about 25 gig in the sky? Use this free hard drive in the sky to share your code, documents, powerpoints, photos and videos.

What is it?
Password-protected online file storage. Always available where you need it.

Download Site: http://skydrive.live.com

Example Problem(s) it solves:
Store files for yourself
Share files with friends
Share files with the world

Installation Notes: Live ID required

Usage Notes: 25 Gig storage – free!

This clip is Russ' Tool Shed Tooltip #5, the fifth of the clips from Episode One of the TV Show, Russ' Tool Shed presents... It's All About The Tools hosted by Russ Fustino and Co-Host Stan Schultes. Download code, ppt and demo script from http://code.msdn.com/toolshed for all episodes. Also, use the links on http://channel9.msdn.com/toolshed to download tools. Finally, check out some more great videos on the Developer Evangelist East site: http://channel9.msdn.com/dpeeast

Tool Shed Tooltip #4: Fiddler from Episode 1

Russell Fustino — Mon, 15 Jun 2009 15:46:00 GMT

Are you coding applications that communicate over the wire? If so, you've got to check this out! Also, did you know Fiddler has add-on tools?

What is it?
HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet.

Download Site: www.fiddlertool.com

Example Problem(s) it solves:
- You just started using WCF and you want to see if message is really encrypted
- You want to trace AJAX messages

Installation Notes: Fiddler 2 supports debugging HTTPS traffic, a richer extensibility model, and can by installed side-by-side with Fiddler 1.x if desired. Note that Fiddler 2 requires version 2.0 of the .NET Framework.

Usage Notes: localhost does not proxy by default .. Ie use http://localhost./... Or use the machine name

This clip is Russ' Tool Shed Tooltip #4, the fourth of the clips from Episode One of the TV Show, Russ' Tool Shed presents... It's All About The Tools hosted by Russ Fustino and Co-Host Stan Schultes. Download code, ppt and demo script from http://code.msdn.com/toolshed for all episodes. Also, use the links on http://channel9.msdn.com/toolshed to download tools. Finally, check out some more great videos on the Developer Evangelist East site: http://channel9.msdn.com/dpeeast

Tool Shed Tooltip #3: SysInternals from Episode 1

Russell Fustino — Mon, 15 Jun 2009 04:58:00 GMT

Learn about this treasure chest of tools called SysInternals. This is a must for your developer toolbox!

What is it?
SysInternals utilities help you manage, troubleshoot and diagnose your Windows systems and applications

Download Site: http://www.sysinternals.com

Example Problem(s) it solves: Problems associated with:
File and Disk Utilities , Networking Utilities, Process Utilities, Security Utilities, System Information, and Miscellaneous Utilities

This clip is Russ' Tool Shed Tooltip #3, the third of the clips from Episode One of the TV Show, Russ' Tool Shed presents... It's All About The Tools hosted by Russ Fustino and Co-Host Stan Schultes. Download code, ppt and demo script from http://code.msdn.com/toolshed for all episodes. Also, use the links on http://channel9.msdn.com/toolshed to download tools. Finally, check out some more great videos on the Developer Evangelist East site: http://channel9.msdn.com/dpeeast

Tool Shed Tooltip #2: Live Services, Virtual Earth, SQL 2008 Geospatial, from Episode 1

Russell Fustino — Sun, 14 Jun 2009 01:40:00 GMT

Learn about Live Services and see how to hook up Virtual Earth to the new SQL 2008 Geospatial support.

What is it?
Windows Live Web Services enable developers, designers, and enthusiasts to quickly create compelling web and desktop applications.

Download Site: http://dev.live.com

Example Problem(s) it solves:
Add Search, Mapping, and rich media (Silverlight) to your apps and websites.
Integrate blog, photo and contact management into your apps.

Installation Notes: Live Services are a set of web services, SDKs, samples and documentation that help you get up and running quickly.

Usage Notes: requires Live ID authentication.

This clip is Russ' Tool Shed Tooltip #2, the second of the clips from Episode One of the TV Show, Russ' Tool Shed presents... It's All About The Tools hosted by Russ Fustino and Co-Host Stan Schultes. Download code, ppt and demo script from http://code.msdn.com/toolshed for all episodes. Also, use the links on http://channel9.msdn.com/toolshed to download tools. Finally, check out some more great videos on the Developer Evangelist East site: http://channel9.msdn.com/dpeeast

Silverlight Spy - Visual Debugging Silverlight Applications

Adam Kinney — Tue, 07 Apr 2009 14:00:00 GMT

Koen Zwikstra has created a very useful tool for Silverlight application development called SilverlightSpy. Load the tool, point it to a web page with a Silverlight application and the dissection begins. It has a little bit funcitonality from of all of your favorite tools like Snoop, Fiddler, FireBug and Reflector but made specifically for Silverlight.

Kaxaml, a lightweight XAML editor

Adam Kinney — Fri, 30 Jan 2009 22:27:00 GMT

Robby Ingebretsen came by to explain what Kaxaml is and how it can be useful to you when developing XAML-based applications. Not only does he introduce the tool, but he also touches on some of the lesser known features and add-ins that may be missed on an initial glance.

Robby also discusses the fact that he will be presenting two workshops at MIX09. The first is Design Fundamentals for Developers and the second, with Jaime Rodriguez, Hiking Mt Avalon.

Teaching developers: A peek inside the inner workings of InnerWorkings

Charles — Thu, 11 Dec 2008 23:08:00 GMT

InnerWorkings is an independent software company whose mission is to help developers learn to write better code faster on the .NET framework. Developers learn by solving real coding challenges and getting instant feedback on their solutions in Visual Studio. An online platform supports the product offering -- help is provided through MSDN articles, Safari Books Online, and a dedicated Personal Tutor service. In addition, they have developed a catalog of ‘practice based’ content showcasing Microsoft technologies (including pre-RTM) such as ASP.NET, Silverlight 2, Object Oriented Development, Generics, WCF, WPF, WF, .NET 3.5 (LINQ, new features in C# 3.0 and VB 9), AJAX, Enterprise Library, Visual Studio Team System, TSQL, and Web Services. Watch the interview to hear more about their plans to develop learning content for Dynamic Data (Astoria) as well as Cloud computing (Azure) and more.

When you’ve finished watching the interview, visit this special offer with free Silverlight 2 training, developed just for the Channel 9 audience. You can download 1 hour of free hands-on coding challenges on the MediaPlayer control and data binding in Silverlight 2 from InnerWorkings. Check it out!

Check out the Microsoft ISV site for more information related to independent software companies and Microsoft.

CHESS: An Automated Concurrency Testing Tool

Charles — Wed, 10 Dec 2008 21:46:00 GMT

CHESS is an automated tool from Microsoft Research for finding errors in multithreaded software by systematic exploration of thread schedules. It finds errors, such as data-races, deadlocks, hangs, and data-corruption induced access violations, that are extremely hard to find with current testing tools. Once CHESS locates an error, it provides a fully repeatable execution of the program leading to the error, thus greatly aiding the debugging process. In addition, CHESS provides a valuable and novel notion of test coverage suitable for multithreaded programs. CHESS can use existing concurrent test cases and is therefore easy to deploy. Both developers and testers should find CHESS useful. The CHESS architecture is described in this technical report.

Here, we meet some of the researchers behind CHESS, Madan Musuvathi and Shaz Qadeer. Joining in the conversation are two software test engineers extraordinare, Chris Dern and Rahul Patil. Chris and Rahul use CHESS as part of their daily routine of finding bugs in the various technologies that power Microsoft's Parallel Computing Platform. Tune in and learn about this great technology from the folks who know it best.