[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B0F3B603558B44B9F4608630B4F641107C4C191@red-msg-06.redmond.corp.microsoft.com>
Date: Mon, 16 Jun 2003 09:20:44 -0700
From: "Michael Howard" <mikehow@...rosoft.com>
To: <bugtraq@...urityfocus.com>
Subject: Improving Web Application Security: Threats and Countermeasures
Microsoft is pleased to announce the release of _Improving Web
Application Security: Threats and Countermeasures_
This guide helps you build hack-resilient applications. A hack-resilient
application is one that reduces the likelihood of a successful attack
and mitigates the extent of damage if an attack occurs. A hack-resilient
application resides on a secure host in a secure network and is
developed using secure design and development guidelines.
Web application security must be addressed across the tiers and at
multiple layers. A weakness in any tier or layer makes your application
vulnerable to attack. Figure 1 shows the scope of the guide and the
three-layered approach that it uses: securing the network, securing the
host, and securing the application. It also shows the process called
threat modeling, which provides a structure and rationale for the
security process and allows you to evaluate security threats and
identify appropriate countermeasures.
If you do not know your threats, how can you secure your system?
The guide is divided into five parts.
Part I, Introduction to Threats and Countermeasures
This part identifies and illustrates the various threats facing the
network, host, and application layers. By using the threat modeling
process, you can identify the threats that are relevant to your
application. This sets the stage for identifying effective
countermeasures. This part includes:
Foreword by Mark Curphey
Foreword by Joel Scambray
Foreword by Erik Olson
Introduction
Solutions at a Glance
Fast track
Chapter 1, Web Application Security Fundamentals
Chapter 2, Threats and Countermeasures
Chapter 3, Threat Modeling
Part II, Designing Secure Web Applications
This part provides the guidance you need to design your Web applications
securely. Even if you have an existing application, you should review
this section and then revisit the concepts, principles, and techniques
that you used during your application design. This part includes:
Chapter 4, Design Guidelines for Secure Web Applications
Chapter 5, Architecture and Design Review
Part III, Building Secure Web Applications
This part helps you to apply the secure design practices and principles
covered in the previous part to create a solid and secure
implementation. You'll learn defensive coding techniques that make your
code and application resilient to attack. Chapter 6 presents an overview
of the .NET Framework security landscape so that you are aware of the
numerous defensive options and tools that are at your disposal. Part III
includes:
Chapter 6, .NET Security Fundamentals
Chapter 7, Building Secure Assemblies
Chapter 8, Code Access Security in Practice
Chapter 9, Using Code Access Security with ASP.NET
Chapter 10, Building Secure ASP.NET Pages and Controls
Chapter 11, Building Secure Serviced Components
Chapter 12, Building Secure Web Services
Chapter 13, Building Secure Remoted Components
Chapter 14, Building Secure Data Access
Part IV, Securing Your Network, Host and Application
This part shows you how to apply security configuration settings to
secure the interrelated network, host, and application levels. Rather
than applying security randomly, you'll learn the reasons for the
security recommendations. Part IV includes:
Chapter 15, Securing Your Network
Chapter 16, Securing Your Web Server
Chapter 17, Securing Your Application Server
Chapter 18, Securing Your Database Server
Chapter 19, Securing Your ASP.NET Application and Web Services
Chapter 20, Hosting Multiple ASP.NET Applications
Part V: Assessing Your Security
This part provides you with the tools you need to evaluate the success
of your security efforts. It shows you how to evaluate your code and
design and also how to review your deployed application, to identify
potential vulnerabilities:
Chapter 21, Code Review
Chapter 22, Deployment Review
Finally, there are two extra sections, Checklists and and How-to
Articles:
Checklist: Architecture and Design Review
Checklist: Security Review for Managed Code
Checklist: Securing ASP.NET
Checklist: Securing Enterprise Services
Checklist: Securing Web Services
Checklist: Securing Remoting
Checklist: Securing Data Access
Checklist: Securing Your Network
Checklist: Securing Your Web Server
Checklist: Securing Your Database Server
How To: Implement Patch Management
How To: Harden the TCP/IP Stack
How To: Secure Your Developer Workstation
How To: Use IPSec for Filtering Ports and Authentication
How To: Use IISLockdown.exe
How To: Use the Microsoft Baseline Security Analyzer
How To: Use URLScan
How To: Create a Custom Encryption Permission
How To: Use Code Access Security Policy to Constrain an Assembly
This _patterns and practice_ guide is available at:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp
(note, this link may wrap in some email clients)
Cheers, Michael
Writing Secure Code 2nd Edition
http://www.microsoft.com/mspress/books/5957.asp
Powered by blists - more mailing lists