lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B0F3B603558B44B9F4608630B4F641107C4C191@red-msg-06.redmond.corp.microsoft.com>
Date: Mon, 16 Jun 2003 09:20:44 -0700
From: "Michael Howard" <mikehow@...rosoft.com>
To: <bugtraq@...urityfocus.com>
Subject: Improving Web Application Security: Threats and Countermeasures


Microsoft is pleased to announce the release of _Improving Web
Application Security: Threats and Countermeasures_

This guide helps you build hack-resilient applications. A hack-resilient
application is one that reduces the likelihood of a successful attack
and mitigates the extent of damage if an attack occurs. A hack-resilient
application resides on a secure host in a secure network and is
developed using secure design and development guidelines.

Web application security must be addressed across the tiers and at
multiple layers. A weakness in any tier or layer makes your application
vulnerable to attack. Figure 1 shows the scope of the guide and the
three-layered approach that it uses: securing the network, securing the
host, and securing the application. It also shows the process called
threat modeling, which provides a structure and rationale for the
security process and allows you to evaluate security threats and
identify appropriate countermeasures. 

If you do not know your threats, how can you secure your system?

The guide is divided into five parts.

Part I, Introduction to Threats and Countermeasures
This part identifies and illustrates the various threats facing the
network, host, and application layers. By using the threat modeling
process, you can identify the threats that are relevant to your
application. This sets the stage for identifying effective
countermeasures. This part includes:

	Foreword by Mark Curphey 
	Foreword by Joel Scambray 
	Foreword by Erik Olson 
	Introduction 
	Solutions at a Glance 
	Fast track 
	Chapter 1, Web Application Security Fundamentals 
	Chapter 2, Threats and Countermeasures 
	Chapter 3, Threat Modeling 

Part II, Designing Secure Web Applications
This part provides the guidance you need to design your Web applications
securely. Even if you have an existing application, you should review
this section and then revisit the concepts, principles, and techniques
that you used during your application design. This part includes: 

	Chapter 4, Design Guidelines for Secure Web Applications 
	Chapter 5, Architecture and Design Review 

Part III, Building Secure Web Applications
This part helps you to apply the secure design practices and principles
covered in the previous part to create a solid and secure
implementation. You'll learn defensive coding techniques that make your
code and application resilient to attack. Chapter 6 presents an overview
of the .NET Framework security landscape so that you are aware of the
numerous defensive options and tools that are at your disposal. Part III
includes: 

	Chapter 6, .NET Security Fundamentals 
	Chapter 7, Building Secure Assemblies 
	Chapter 8, Code Access Security in Practice 
	Chapter 9, Using Code Access Security with ASP.NET 
	Chapter 10, Building Secure ASP.NET Pages and Controls 
	Chapter 11, Building Secure Serviced Components 
	Chapter 12, Building Secure Web Services 
	Chapter 13, Building Secure Remoted Components 
	Chapter 14, Building Secure Data Access 

Part IV, Securing Your Network, Host and Application
This part shows you how to apply security configuration settings to
secure the interrelated network, host, and application levels. Rather
than applying security randomly, you'll learn the reasons for the
security recommendations. Part IV includes:

	Chapter 15, Securing Your Network 
	Chapter 16, Securing Your Web Server 
	Chapter 17, Securing Your Application Server 
	Chapter 18, Securing Your Database Server 
	Chapter 19, Securing Your ASP.NET Application and Web Services 
	Chapter 20, Hosting Multiple ASP.NET Applications 

Part V: Assessing Your Security
This part provides you with the tools you need to evaluate the success
of your security efforts. It shows you how to evaluate your code and
design and also how to review your deployed application, to identify
potential vulnerabilities: 

	Chapter 21, Code Review 
	Chapter 22, Deployment Review 


Finally, there are two extra sections, Checklists and and How-to
Articles:

	Checklist: Architecture and Design Review 
	Checklist: Security Review for Managed Code 
	Checklist: Securing ASP.NET 
	Checklist: Securing Enterprise Services 
	Checklist: Securing Web Services 
	Checklist: Securing Remoting 
	Checklist: Securing Data Access 
	Checklist: Securing Your Network 
	Checklist: Securing Your Web Server 
	Checklist: Securing Your Database Server 
	How To: Implement Patch Management 
	How To: Harden the TCP/IP Stack 
	How To: Secure Your Developer Workstation 
	How To: Use IPSec for Filtering Ports and Authentication 
	How To: Use IISLockdown.exe 
	How To: Use the Microsoft Baseline Security Analyzer 
	How To: Use URLScan 
	How To: Create a Custom Encryption Permission 
	How To: Use Code Access Security Policy to Constrain an Assembly


This _patterns and practice_ guide is available at:

http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp 
(note, this link may wrap in some email clients)

Cheers, Michael
Writing Secure Code 2nd Edition 
http://www.microsoft.com/mspress/books/5957.asp






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ