 |
 |
|
February 18, 2004MSDN Webcast Review: Writing Secure Code - Best PracticesWhat a great presentation. Joel did a great job. It was detailed on secure coding best practices and included threat modeling... covering both STRIDE threat modeling and Attack Trees. It was interesting to see him present the DREAD model for rating threats as superior to using the common formula: risk = Probability(chance) * Damage Potential (damage) I've been using r=c*d for over a year instead of DREAD, and found it works well for me. I am going to need to read up on some secondary documentation on DREAD and see why Microsoft prefers that method. The demos were pretty good too. Joel even showed how to properly do development as a non-admin user, which should benefit most people who don't. If you don't know WHY thats important, consider reading my CodeProject article about developing with least privilege. I did learn one interesting component in VS.NET. I always write my validation routines by hand and deal with it that way. I didn't know there was an ErrorProvider control that makes that simpler. Will have to look into that. I REALLY liked how Joel showed how to use the Data Protection API (DPAPI) to encrypt and decrypt SQL connection strings. I wish more people knew how to do this. If you hardcode your connection strings, you really should watch this presentation and learn how to fix that. All and all, this has been the best presentation so far. In the next few days the presentation will be online on-demand which you can check out here, which will let you check it out for yourself. In the meantime, I kept a copy of the power point slides of the presentation, which you can get here. Comments
Glad you enjoyed the presentation. That last demo bombed really badly hey? - I went back to see if I could fix it - but of course, it magically worked. Posted by: Joel at February 18, 2004 08:43 PMDemos always do that don't they?? Thanks again for a great presentation. Looking forward to your other one tomorrow. Posted by: SilverStr at February 19, 2004 01:31 PMHi Dana, just enjoyed viewing the Writing Secure Code - Best Practices webcast. Very interesting stuff. Is says it's for advanced programmers. But even as I don't really consider myself very advanced into secure coding principles, I was able to follow the greater part without too many difficulties. It also might have to do with my reading Michael Howards "Secure Coding" book recently, as a lot of webcast stuff was familiar for those having read the book. Only the parts where Joel went into C# code quite deeply, I lost track a little bit. That might also have to do woth the fast we're still on Visual Studio 6 here. But as I have to think about developing myself I touched upon .NET a bit lately. It's a great job o Microsoft to make these webcasts available for viewing afterwards. At least when you're not visiting seminars too often, as I. |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
June 2007
May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
