Condividi tramite


How To Use Guidance Explorer to do a Security Code Inspection

One of the key experiences you get with Guidance Explorer (GE) is support for manual security inspections.   We call them inspections versus reviews because we inspect against specific criteria.   We supply you with a starter set of inspection questions, but you can tailor them or add your own. 

Security Code Inspection
We use three distinct types of inspections:  design, code and deployment.  For this example, we'll use Guidance Explorer to do a security code inspection of an ASP.NET application. 

Summary of Steps

  • Step 1. Create a new View.
  • Step 2. Add inspection questions to your view.
  • Step 3. Save your View to Word.

Step 1. Create a new View.  
In this step, you add a new view to My Views.  To do so, in GE, right-click, My Views, and add a new View.  You can name your View whatever you like, but for this example, I'll name mine "Security Code Inspection."

Step 2. Add inspection questions to your view.
In this step, you add relevant security inspection questions.    To do so, in GE, click the patterns & practices Library, next click Security, next click Security Engineering, next click Code Inspections.  Expand the ASP.NET 2.0 set of security inspection questions.

For this example, drag and drop the questions from the following categories: Input and Data Validation, Forms Authentication, and SQL Injection.  This will give you a nice focused set of questions to drive your inspection.

Step 3. Save your View to Word.
In this step, you save your View as a Word doc.  To do so, right-click your view (e.g. "Security Code Inspection") and click Save Vew as ....   Name your doc (e.g. "My Security Code Inspection.doc") and click Save.

You just built your own security code inspection set!

Extending and Exploring
There's a lot of exploring you can do and ways you can extend:

  • Design and Deployment Inspection: For example, you can try building a security design inspection set or a security deployment inspection set. 
  • Code Examples.  You can add code examples and link them to your inspection questions.
  • Agile Security Engineering.  If you're doing Agile development, you can scope your security inspection to a finite set of categories for a specific set of stories within the current iteration. 
  • Patterns. If you're a fan of patterns you can add pattern examples to your design inspection.  At the end of the day, do what makes sense for you and your team to more effectively build software and meet your security objectives.

Share Your Stories
I'm sure you're bound to have stories.   If you haven't done security code inspections before, you're in for a treat.  Security Code Inspections are a proven practice.   While the criteria and context may vary, the technique pretty much remains the same.  Share your stories either in this post or send email to getool@microsoft.com.

My Related Posts

Comments

  • Anonymous
    December 13, 2007
    PingBack from http://blogs.msdn.com/jchiou/archive/2007/12/13/guidance-explorer-asp-net.aspx

  • Anonymous
    December 19, 2007
    This is an oldie but a goodie. Alex (from our original team) walks through our patterns & practices

  • Anonymous
    December 19, 2007
    This is an oldie but a goodie. Alex (from our original team) walks through our patterns & practices

  • Anonymous
    December 20, 2007
    J.D. Meier's Blog has 2 recent entries on security: Getting Started with Threat Modeling and Video: Proven

  • Anonymous
    April 07, 2008
    If you know the underlying principles for security, you can be more effective in your security design.