| May 2009 |
| A Conversation About Threat Modeling |
| Listen in on a chat between a developer and security pro that delves into some of the major Security Development Lifecycle (SDL) requirements we impose on product teams here at Microsoft |
| |
| November 2008 |
| Threat Models Improve Your Security Process |
| This column proposes a way to think about secure design from a more holistic perspective by using threat models to drive your security engineering process, primarily helping you prioritize code review, fuzz testing, and attack surface analysis tasks. |
| |
| May 2008 |
| Penetration Testing |
| In this installment of Security Briefs, James Whittaker explains how the rules and the pitfalls of penetration testing so you'll know how to avoid them. |
| |
| July 2007 |
| Applying Cryptography Using The CNG API In Windows Vista |
| Cryptography Next Generation (CNG) is meant to be a long-term replacement for the CryptoAPI, providing replacements for all of the cryptographic primitives it offered. |
| |
| November 2005 |
| A Look Inside the Security Development LifeCycle at Microsoft |
| Michael Howard outlines how to apply the SDL to your own software development processes. |
| |
| November 2004 |
| Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users |
| In this article, Microsoft security expert Michael Howard discusses the cardinal rules of attack surface reduction. His rules - reduce the amount of code executing by default, reduce the volume of code that is accessible to untrusted users by default, and limit the damage if the code is exploited - are explained along with the techniques to apply the rules to your code. |
| |
| November 2003 |
| Protect It: Safeguard Database Connection Strings and Other Sensitive Settings in Your Code |
| Protecting application secrets, such as database connection strings and passwords, requires careful consideration of a number of pertinent factors such as how sensitive the data is, who could gain access to it, how to balance security, performance, and maintainability, and so forth. This article explains the fundamentals of data protection and compares a variety of techniques that can be used to protect application settings. The author discusses what to avoid, such as hiding keys in source code and the use of Local Security Authority. In addition, he presents some effective solutions such as the Data Protection API. |
| |
| Review It: Expert Tips for Finding Security Defects in Your Code |
| Reviewing code for security defects is a key ingredient in the software creation process, ranking alongside planning, design, and testing. Here the author reflects over his years of code security reviews to identify patterns and best practices that all developers can follow when tracking down potential security loopholes. The process begins by examining the environment the code runs in, considering the roles of the users who will run it, and studying the history of any security issues the code may have had. After gaining an understanding of these background issues, specific vulnerabilities can be hunted down, including SQL injection attacks, cross-site scripting, and buffer overruns. In addition, certain red flags, such as variable names like "password", "secret," and other obvious but common security blunders, can be searched for and remedied. |
| |
| August 2003 |
| Security Briefs: Hashing Passwords, The AllowPartiallyTrustedCallers Attribute |
| Keith Brown describes how yo can hash passwords when you want to store them in your own custom database, and when to use the AllowPartiallyTrustedCallers attribute on your assembly. |
| |
| May 2003 |
| Virus Hunting: Understand Common Virus Attacks Before They Strike to Better Protect Your Apps |
| Developer's machines can often be more vulnerable to viruses than the average corporate user because of their more frequent access to remote machines and shares, and the differing administrative privileges they maintain across multiple machines. Reliance on antivirus software is fine as a first line of defense, but you need a basic arsenal of skills for securing the executables on your system and coping with viruses on your own. This article reviews proactive methods you can use to defend yourself against malicious executable code in resources, component libraries, scripts and macros, as well as how to avoid a handful of other potential vulnerabilities. |
| |
| April 2003 |
| Security Briefs: Exploring S4U Kerberos Extensions in Windows Server 2003 |
| Building Web sites that provide services external to the corporate firewall is tricky. Usually it's not desirable to grant corporate domain accounts to external clients, and from a purely practical standpoint Kerberos does not work well over the Internet due to the typical configuration of client-side firewalls. |
| |
| March 2003 |
| Talking To... Michael Howard Discusses the Secure Windows Initiative |
| The growth of interconnected computers in recent years has pushed security concerns to the forefront of development and application design. The Microsoft effort, dubbed the Secure Windows Initiative (SWI), focuses on securing new and legacy code. |
| |
| April 2001 |
| Secure Sockets Layer: Protect Your E-Commerce Web Site with SSL and Digital Certificates |
| Security is one of the most important factors in the future growth of e-businesses. Making sure that communications remain secure between customers and the Web server is a critical issue. Secure Sockets Layer (SSL) is the standard that secure Web sites are built upon today. This article presents an overview of SSL-based Web security, explaining such fundamental concepts as digital certificates and their distribution, encryption, and the proper configuration of Microsoft Internet Information Services (IIS). Acquiring a certificate, installing it, and configuring IIS for SSL are outlined in a step-by-step process. |
| |
| The Security Support Provider Interface Revisited |
| Session keys can be used to encrypt messages or to simply affix a message authentication code (MAC) to allow tamper detection and authentication of cleartext messages. This article show the SSPI APIs you need to call, how to use the SSPI workbench utility to send encrypted or signed messages, and how SSPI can be used to validate passwords. It describes a few experiments that you can try with the workbench that will help you explore how Kerberos, NTLM, and SPNEGO are implemented in Windows. |
| |
| August 2000 |
| Explore the Security Support Provider Interface Using the SSPI Workbench Utility |
| This article describes the Security Support Provider Interface (SSPI) and a SSPI Workbench utility, to help you learn about SSPI and explore the various authentication protocols that Microsoft Windows 2000 supports. |
| |
| May 2000 |
| Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utillity |
| This article describes how Windows 2000 implements delegation of credentials using Kerberos. |
| |
| March 2000 |
| Exploring Handle Security in Windows |
| This article describes how security works with handles in the face of interprocess communication, impersonation, handle inheritance, and the powerful DuplicateHandle API. |
| |
| Encrypt It: Keep Your Data Secure with the New Advanced Encryption Standard |
| The Advanced Encryption Standard (AES) is a National Institute of Standards and Technology specification for the encryption of electronic data. This article presents an overview of AES and explains the algorithms it uses. |
