Contents tagged with Security

  • Two new Microsoft Security Developement Lifecycle (SDL) tools: MiniFuzz File Fuzzer and BinScope Binary Analyzer

    Microsoft has announced two new Security Development Lifecycle (SDL) tools here:

    MiniFuzz File Fuzzer

    MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.

    Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of MiniFuzz, we have made a simple file fuzzer available to assist developer efforts to find and address more bugs in code before it ships to customers.

    BinScope Binary Analyzer

    The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations.  BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.

    BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL (e.g. read/write shared sections and global function pointers).  For a more detailed enumeration of the checks performed by BinScope, please see the BinScope documentation.  BinScope is available in two forms: as a standalone executable and as a Visual Studio add-on.

     Jeremy Dallman, of Microsoft, explains both tools in this post.



  • PDC 2008 - Geneva Identity Management

    As Jason Hogg mentions in his blog post, the Geneva Identity Management Framework (renamed from Zermatt) was announced yesterday at PDC 2008.

    Genvea includes:

    • Geneva Framework - A .NET framework for writing interoperable, claims aware applicatoins
    • Geneva STS - An STS integrated with AD. Supports issuance (finally) and consumption of Cardspace Cards. 
    • CardSpace Geneva - A federation client

    In addition to these framework like components, there are also a couple of services (biult using Geneva) including:

    • Microsoft Federation Gateway - Provides the basis for the Microsoft Services Identity backbone - brokering access to Microsoft cloud applications and developre services
    • Microsoft Connector Services - Federates AD to the Microsoft Federation Gateway. Provides lightweight access to the federation gateway.
    • .NET Access Control Service - Next generation service (STS) that performs claims transformation. It receives authentication information and issues authz decisions. This includes a management portal and API's for managing and writing authz policies.  

    You can get the bits here.

    I have recently been working with a client to set up a STS and stumbled upon Zermatt and was very excited to see this direction. If you are looking to build/deploy a claims-aware application and need an STS over WCF, take a look at Geneva.

    NOTE: Requirements are Vista and/or Windows 2003/2008 for the installation of the Geneva Framework and Windows 2008 for installation of the Geneva STS.


  • MVP 2008 - thanks again!

    I got notice today, as others did, I have once again been named a Microsoft MVP for 2008 in the area of Visual Developer - Security. Thanks again, Microsoft, and my MVP lead Rafael Munoz, and all those who have been very supportive of my community work this past year (with my speaking at several conferences, speaking at user groups, and leading a user group as well).


  • WCF 3.5 will support Usernames over Transport Authentication

    Like Dominick Baier and Christian Weyer of Thinktecture, I also wondered why I couldn't use a UsernameToken with Transport Security in WCF v.1. I wanted to put together a simple demo for a client and that feature just wasn't there. Dominick mentions in this post it will finally be available in WCF 3.5. Great!


  • Heartland Developers Conference 2007 wrap-up

    Once again, for the 4th year in a row, I enjoyed the one conference I make sure to book well in advance. I haven't traveled to conferences as much this year, instead focused on client-related work. This was one conference, however, I was really looking forward to attending and presenting. I am originally from the mid-west (Oklahoma) and have lived in Massachusetts for 12 years now but I always feel more at home when I go to HDC than anywhere I have visited. The layout of the area, the local convenient stores, the people, and the atmosphere remind me a great deal of what I remembered most about growing up in the mid-west.


  • Speaking on Web Services Security at Boston .NET User Group on 9/12/2007

    I will be speaking on the topic: "Web Services Security: Where are we now?" this coming Wednesday, September 12, 2007, at the Boston .NET Users Group meeting at Microsoft, Waltham, MA. There has been some interesting talk lately, including this years BlackHat USA 2007 in July on the current state of web services security. I will be covering the common web services attacks developers should know about as well as current information on WS-* security, REST, and other mitigation measures. If you are in the area, stop on by, but first go register at the user group site to let them know you will be attending.


  • Take a look at LiveId + CardSpace

    I was in a user group meeting recently with Patrick Hynds speaking about Identity and presenting demos on Windows CardSpace. Someone in the audience mentioned it would be great to see Microsoft start using this for some of their websites (I agree!). Well, here it is: LiveID + CardSpace.

    Also, take a look at the latest samples for WCF, WF, and CardSpace for VS 2008 Beta 2. 



  • Another TDD and DDD success story

    I have been mostly silent for the past year as I have been busy working with a client in Western Massachusetts on a very interesting ASP.NET 2.0 project (using C# 2.0). I had the pleasure of working with one of the best teams I have seen in my career -- all were bright, willing to learn, and up to the daunting task of converting skills from pre .NET right into .NET 2.0 and object-oriented programming. I taught a course to the company earlier last year and they asked me to come and help with the architecture and final development of a very time-critical ASP.NET application. I am very, very happy to say they met their goals with the project going live last week and right on target! In the end they have a very robust, highly maintainable, flexible, and extensible architecture that met their immediate needs and certainly future needs as well.