Contents tagged with Security
I am speaking tonight on ASP.NET MVC Security at Microsoft DevBoston.
Microsoft has announced two new Security Development Lifecycle (SDL) tools here:
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.
Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of MiniFuzz, we have made a simple file fuzzer available to assist developer efforts to find and address more bugs in code before it ships to customers.
The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.
BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL (e.g. read/write shared sections and global function pointers). For a more detailed enumeration of the checks performed by BinScope, please see the BinScope documentation. BinScope is available in two forms: as a standalone executable and as a Visual Studio add-on.
As Jason Hogg mentions in his blog post, the Geneva Identity Management Framework (renamed from Zermatt) was announced yesterday at PDC 2008.
- Geneva Framework - A .NET framework for writing interoperable, claims aware applicatoins
- Geneva STS - An STS integrated with AD. Supports issuance (finally) and consumption of Cardspace Cards.
- CardSpace Geneva - A federation client
In addition to these framework like components, there are also a couple of services (biult using Geneva) including:
Microsoft Federation Gateway - Provides the basis for the Microsoft Services Identity backbone - brokering access to Microsoft cloud applications and developre services
Microsoft Connector Services - Federates AD to the Microsoft Federation Gateway. Provides lightweight access to the federation gateway.
.NET Access Control Service - Next generation service (STS) that performs claims transformation. It receives authentication information and issues authz decisions. This includes a management portal and API's for managing and writing authz policies.
You can get the bits here.
I have recently been working with a client to set up a STS and stumbled upon Zermatt and was very excited to see this direction. If you are looking to build/deploy a claims-aware application and need an STS over WCF, take a look at Geneva.
NOTE: Requirements are Vista and/or Windows 2003/2008 for the installation of the Geneva Framework and Windows 2008 for installation of the Geneva STS.
I got notice today, as others did, I have once again been named a Microsoft MVP for 2008 in the area of Visual Developer - Security. Thanks again, Microsoft, and my MVP lead Rafael Munoz, and all those who have been very supportive of my community work this past year (with my speaking at several conferences, speaking at user groups, and leading a user group as well).
Like Dominick Baier and Christian Weyer of Thinktecture, I also wondered why I couldn't use a UsernameToken with Transport Security in WCF v.1. I wanted to put together a simple demo for a client and that feature just wasn't there. Dominick mentions in this post it will finally be available in WCF 3.5. Great!
Once again, for the 4th year in a row, I enjoyed the one conference I make sure to book well in advance. I haven't traveled to conferences as much this year, instead focused on client-related work. This was one conference, however, I was really looking forward to attending and presenting. I am originally from the mid-west (Oklahoma) and have lived in Massachusetts for 12 years now but I always feel more at home when I go to HDC than anywhere I have visited. The layout of the area, the local convenient stores, the people, and the atmosphere remind me a great deal of what I remembered most about growing up in the mid-west.
I will be speaking at the New England Code Camp 8: Rise of the Silverlight Surfer at the Microsoft offices in Waltham, MA on September 29-30. I will be speaking on the following security topics:
I will be speaking on the topic: "Web Services Security: Where are we now?" this coming Wednesday, September 12, 2007, at the Boston .NET Users Group meeting at Microsoft, Waltham, MA. There has been some interesting talk lately, including this years BlackHat USA 2007 in July on the current state of web services security. I will be covering the common web services attacks developers should know about as well as current information on WS-* security, REST, and other mitigation measures. If you are in the area, stop on by, but first go register at the user group site to let them know you will be attending.
I was in a user group meeting recently with Patrick Hynds speaking about Identity and presenting demos on Windows CardSpace. Someone in the audience mentioned it would be great to see Microsoft start using this for some of their websites (I agree!). Well, here it is: LiveID + CardSpace.
Also, take a look at the latest samples for WCF, WF, and CardSpace for VS 2008 Beta 2.
I have been mostly silent for the past year as I have been busy working with a client in Western Massachusetts on a very interesting ASP.NET 2.0 project (using C# 2.0). I had the pleasure of working with one of the best teams I have seen in my career -- all were bright, willing to learn, and up to the daunting task of converting skills from pre .NET right into .NET 2.0 and object-oriented programming. I taught a course to the company earlier last year and they asked me to come and help with the architecture and final development of a very time-critical ASP.NET application. I am very, very happy to say they met their goals with the project going live last week and right on target! In the end they have a very robust, highly maintainable, flexible, and extensible architecture that met their immediate needs and certainly future needs as well.