Robert Hurlbut's Blog

I bought Michael Howard's and Steve Lipner's book The Security Development Lifecycle here at TechEd 2006 today. Michael has a description and purpose of the book as well as a table of contents on his blog.

One thing I noticed immediately is the list of Threat Tree Patterns in its own chapter. I remember I had a question about these at one of my talks on Threat Modeling as I included a slide from one of  Michael's decks that mentioned this concept. Threat Tree Patterns really help in the modeling process as these are well known and common types of threat scenarios to look for in your application. Previously, with the DREAD style, you had to think of these yourself, and if you weren't a security expert you might miss several things. So, it helps to look at the patterns. Unfortunately, these patterns weren't readily available at the time, but now they are finally added to this book. Great!

I have read several SDL papers over the last couple of years and watched how Microsoft has fine-tuned the process. I think this will be a great read for every developer as they think through applying secure development at every stage of the software development lifecycle.

I mentioned previously I worked on some security work with WCF. In March, I worked with Sam's team to put together a first prototype of a WCF secure solution using Active Directory as well as research into WSFederationHttpBinding and Active Directory Federation Services (ADFS). Sam and crew have extended those initial ideas into a set of great solutions as he describes here , here, and here (Aaron's post). You owe yourself a look to see the great work they have done.

Keith Brown also announced the launch of the Identity and Access Management developer center on MSDNrecently. His recent paper on "The .NET Developer's Guide to Identity" is extremely good and I have already recommended it to a few people at TechEd this year. Keith presented a session on WCF Security yesterday morning which I unfortunately had to miss, but I did get a chance to read the slide deck yesterday afternoon and it looks great -- if you get a chance (i.e. have access), take a look.

There are a lot of great resources starting to show up. I am hoping to add some original items as I come across them, but in the meantime these are a few places to check for information.

Juval Lowy (of IDesign) has added a free code library for WCF development, which includes demos covering WCF essentials, contract design, data contracts, operations and calls, instance management, faults, transactions, concurrency management, queued calls and security. The downloads shed light on poorly-documented and understood aspects, demonstrate relevant design guidelines, best practices, and pitfalls. The demos are also used during their WCF Master Class to demystify technical points, as lab exercises or to answer questions. You can find the code library here.

I remember looking at some of the demos and sample code from IDesign when I was doing some development in WCF a few months ago. The staff of IDesign were very helpful in answering some tough WCF security questions. If you have a chance, sign up for one of the Master classes -- the one in June is sold out but there is another one in August. I am thinking about taking that one myself.

I am at TechEd 2006 in Boston this week. I registered yesterday (Sunday), coming in on the subway. This is one conference that is not much of a change for me as I commute into Boston everyday anyway -- usually on the commuter rail. It's interesting to have this large conference in my "backyard". I already know my way around pretty well. :)

Yesterday, I attended the Malware Removal pre-conference presented by Mark Russinovich (of SysInternals fame). It was filled with a lot of great Windows security information which included the basics, descriptions of malware, descriptions of rootkits, ways to counter malware, and even a short section on running with a Limited User Account (LUA). Mark gave the warning I always give as well -- you can remove some malware off your machine, but sometimes (actually most of the time) the best course of action is to repave and reinstall the OS. You really don't know how infected you may be once the door has been opened.

I bought Bob Beauchemin's and Dan Sullivan's completed (and awaited) book on A Developer's Guide to SQL Server 2005. I thoroughly enjoyed their first book -- this one looks to be almost twice the size. I started looking at two of my favorite topics in SQL Server 2005: security and service broker, and I wasn't disappointed. This will be a book I will enjoy digesting over the next month.

While at TechEd, I will be working as a technical expert in the Connected Systems track in the Technical Learning Center (TLC) "blue" area (what used to be called Cabanas?) Monday, Wednesday, and Friday afternoons. It's been a couple of months since I looked at WCF in detail, but I just loaded the new Vista Beta 2 on my laptop last night (from the CD found in our TechEd bag) and installed VS 2005 and the new WinFx er, correction, .NET 3.0 (since last Friday) SDK so I can play with the latest bits. This should be fun.

If you at TechEd, come on by and say hello.