Extrusion: Insider theft of digital assets -- best (and not so best) practices

ComputerWorld has an interesting article discussing the unauthorized transfer of a company's essential digital assets... commonly called extrusion.

Extrusion has a strange nature that stems from unexpected actions by trusted insiders in an environment assumed to be secure. For this reason, extrusion prevention requires both management and technology controls. This article reviews current best practices in four business control activities: human resources, the internal audit, physical security and information security. The author highlights disconnects in each activity and then recommends corrective action at the end of the article.

With the threats from within being the major focus these days, this article rings true to many a CSO. Have a read and judge for yourself.

Understanding IPSec on Windows Server 2003

Microsoft has released a document discussing their implementation of the Internet Engineering Task Force’s Internet Protocol security (IPSec). IPSec provides network managers with a key line of defense in protecting their networks.

IPSec exists below the Transport layer, so its security services are transparently inherited by applications. IPSec provides the protections of data integrity, data origin authentication, data confidentiality, and replay protection without having to upgrade applications or train users.

If you want to learn more, consider checking it out.

Security Coding Issues

Sergey Simakov has an interesting entry pointing to an abridged version of Michael Howard's presentation on Security Coding Issues. You can find the slide deck here that Sergey is referring to.

Nothing really new here, but if you are new to the subject its a great primer.

TCP RST Attack Revisited

Paul Watson's slide deck and whitepaper on the new TCP flaw he found are now online for your viewing pleasure.

With the fact there is now over 4 different sample exploit code segments in the wild, wonder how long it will be before some script kiddie starts trying to netsplit his favorite IRC server *sigh*

Book Review - Exploiting Software: How to Break Code

Unless you know the threats to which you are susceptible to, you will never be able to design secure systems. Technology changes, as do the attackers. Exploiting Software: How to Break Code has driven that home for me as it truly shows how in the vast knowledge I have on the subject I too am always able to learn more.

Gary and Greg did a great job in this book. It is well thought out and meticulous in the detail on showing just how to break code. If you design secure systems YOU MUST READ THIS BOOK. Hell, even if you don’t you should read this book.

If you have been following previous blog entries you will know I have been raving about this book for some time. The reason I didn’t post a review sooner is that I wanted to read the book twice to make sure I really understood some of the key components within the book in areas I wasn't the strongest in. And it was well worth the double take. I think I learned more the second time around when I more understood the concepts.

This book is not for the faint of heart. Although you can walk away with a lot at any level of programming knowledge, to really benefit from this book you have to have a strong understanding of assembler. Without it half the book will be useless to you as you won’t understand the concepts presented. Perhaps a quick sidebar to discuss many of the common assembler instructions could have been helpful in the book to some… or even just reading an asm primer beforehand would help. Luckily I enjoyed assembler in university… it was one of the courses I got 100% in back in the day.

Which gets me to a point that I think other people will end up bringing up if they read the book. If you can’t understand the assembler in the book, you won’t get how to actually exploit code. In other words, if you pick up this book assuming you will walk away with a step-by-step guide with snippits of code to put together your own 'recipe' exploit you have another thing coming. Although there are some really good snippits ranging from payload insertion for overflows to rootkit mapping (and lots of other neat little tidbits in between) the reality is that this book shows you how to look for weaknesses and then attack them. I hold that to Greg's rootkit chapter which had some really detailed code on kernel injection techniques.

Which gets me to one of my favorite parts of the book. As someone who writes kernel code in Windows I REALLY enjoyed the section on patching the Windows kernel to remove all security. It was interesting to see how a couple of bytes could bypass the entire security manager in Windows, and focusing on SeAccessCheck was brilliant! However, I think this section was also a detriment to the authors. The book seemed quite professional right up until this point. We all know the weaknesses in the Windows environment and we all have concern about it. But the 'personalized' negative attitude and berating of Windows and even the US Navy had no place in this book. I'm not here to stick up and defend Microsoft on the subject, but I expected more professionalism from the authors as it relates to computer security here... they should have taken the high road on the subject. I can just as easily show how a rogue Linux kernel module can wreak havoc on a system just as the code presented here can. But its futile to spew forth useless drivel about it. Let's not muddy the waters and focus on the real issue of exploiting code, and keep the personal tainting out of it. If I didn't know the author's work better this could very easily have damaged the credibility of the section, perhaps the entire book. So for others reading the book, just ignore the personal tainting and understand the methods involved. Yes, being able to do a bit flip to disable the entire security is bad. Better compartmentalization is good. :)

If you are in anyway involved in red-team testing and want to know how to approach a target this book provides crucial knowledge and even some good insight on using tools like IDA to assist you. And if you are a developer this book will help you think more defensively about your approach to code.

What could I see done better? Well, it was nice to see how to BREAK code, but I would like that put into perspective on how to fix it. Although this book is said to be a great companion on Gary’s book on Building Secure Software I think more should have been presented to map the two topics better. As an example there was one case where discussion ensued about fault injection techniques with very little discussion on defending this with user input validation testing. Mapping those concepts better could go a long way to more educate developers. Of course, that wasn’t the intent of the book, and this is just my opinion. I am always for educating the developers about secure programming every chance we can get!

Overall, a great book. And one I recommend to the serious computer security software developers out there.

4 out of 5 stars.

Coder to Developer: Tools and Strategies for Delivering Your Software

Eric had an interesting book review on Coder to Developer that I found interesting. Looking through the table of contents this looks like a good book, although its relevance may quickly be outdated since its so tied to technology of today. Still looks like it might be worth reading.

I just finished reading Exploiting Software : How to Break Code this weekend (review to be posted shortly) and should be receiving The Product Marketing Handbook for Software in the next couple of days. Once I absorb that one I think Coder to Developer might be my next read.

Security in Longhorn: Focus on Least Privilege

Microsoft has released an interesting article on a least privileged environment that is going to significantly increase the security of the "Longhorn" Windows platform. Get started today by writing managed code, first of all, and when building desktop applications, make them LUA (Limited Unit Application programming interface) compliant are steps Microsoft recommends for the platform.

Longhorn promises to be a great platform for least privileged applications. Read the article and learn how to get started today by writing managed code. When building desktop applications, you can make them LUA compliant and then use the Windows Application Verifier to help check your work. If you care about the future of security on Longhorn, this is a good introductory article.

New TCP Flaw Found - Reset Attacks around the corner?

Well, I wondered when this would surface. I heard about a presentation a couple of weeks ago that was going on at CanSecWest 2004 this week in which Paul Watson was going to discuss TCP Reset Attacks. The grapevine spoke of an interesting paper... but I never got a copy of it.

It appears that the UK National Infrastructure Security Co-Ordination Centre (NISCC) got an early copy of his paper yesterday and has issued an alert discussing various scenarios... including Paul's discover of the practicability of the RST attack.

Basically the attack pattern is resetting an established TCP connection by sending suitable TCP packets with the RST (Reset) or SYN (Synchronise) flags set. The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports. Of course all this is easy to spoof... and quite easy to do with Perl and Net::RawIP. (And people commented on my entry about the practicality of Perl *pffft*)

You can read the details in the NISCC alert, which provides some information on mitigation techniques, including an interesting idea of resizing TCP window to deflect the attack.

Now just to get a copy of the paper and read Paul's research about the attack. Maybe I can get a copy from Joost since I know he was attending the conference. Joost? Otherwise, if you are in town attending the conference let me know and we can hook up for beers... and look at the paper more closely.

Practical PERL for the Information Security Professional

I found an interesting paper published by SANS that introduces Perl as a useful, flexible, and extensible tool for the security practitioner. The paper includes examples of Perl's ability to process log files, grab banners of network services, craft network packets and to exploit code that writes to unchecked buffers.

If you aren't using Perl for such tasks you really should look into it. Its a powerful tool that you will find makes life considerably easier for ya. Especially when doing fault injection testing, test parsing with regex and quick and dirty network test scripts.

GOLF CANUCKS GOLF

My Vancouver Canucks are out of the playoffs. And rightfully so... the Calgary Flames played with more heart in tonights game than Vancouver ever did. Didn't help that Jovo turned over the puck 3 times for scoring chances, and pulls stupid penalties that had him in the box during overtime. (Although the last few seconds tie up goal had me and Alan jumping all around screaming at the top of our lungs!)

Maybe next year. *sigh* Now I guess I gotta cheer for Ottawa. Canada needs ths cup back. :(

Security Checks at Runtime and Compile Time

Microsoft has released an article on MSDN which demonstrates Visual C++ compiler and library features for helping developers increase the robustness and security of their applications.

Included in the article is information on using the following switches:

• /GS - Buffer Security Check
  
• /RTCs - Stack Frame Run-Time Error Checking
  
• /RTCc - Detects Assignments that Resulted in Data Loss.
  
• /RTCu - Report Variable Use without Initialization

The sample application includes 6 tests to simulate some of the errors programmers may commit, or the results of malicious input to a program that is too trusting:

1. Overwrite a buffer by running a loop too many times. Since only one buffer is defined, the overwrite affects the rest of the stack including the return address.
   
2. Overwrite a buffer when another buffer is also on the stack.
   
3. Underwrite a buffer.
   
4. Use an uninitialized variable.
   
5. Perform a cast that may lose information.
   
6. Use an uninitialized variable in more complex ways.

If you are using a lanugage that is not typesafe like C++ and are using a newer MS compiler you should really read about these options. Well actually, even if you aren't using C++ you will find the article interesting... you should read it anyways.

Happy reading!

Product Marketing Handbook for Software

Joel pointed out an interesting book called The Product Marketing Handbook for Software which projects itself as the definitive guide to successful software marketing. It discusses the industry’s special challenges and provides solutions specific to the task of marketing and selling software. From blogs through to E-mail and webinars, if you want to succeed in marketing and selling your software, I'm told you can’t afford to be without it.

I have been thinking about ordering this. I originally was going to buy it on Chapters or Amazon with my special discount, but it looks like this is self-published. I took a few minutes and called the company, and had the pleasure of actually speaking with the author. He gave me a bit more comfort, and I have decided I will pickup this book this month and leave Purple Cow: Transform Your Business by Being Remarkable for reading next month.

I like alternating between technical and business/marketing books. It is not only refreshing... it allows me to gain more knowledge in both disciplines. It also keeps me away from becoming a zombie in front of my computer or the TV.

If you have read this book, please let me know. Would love to hear other people's review of it.

Security Enhancements for Remote Access at Microsoft

Microsoft has released a slide deck which includes a detailed discussion of how Microsoft IT significantly improved the security of its corporate network remote access solution using the latest generation of Microsoft products.

It's quite informative and reminded me of when I was in Robert's house and I was asking what the smart card reader was for. :)

Open Source vs. Closed Source Security

This morning I came across an interview (you can listen to the mp3 here) with Gary and Greg that I found quite interesting.

As part of their tour for their latest book "Exploiting Software: How to Break Code" (a great read.... something I highly recommend and will be reviewing shortly) Gary and Greg have a segment in the interview where they discuss why IT DOESN'T MATTER IF CODE IS OPEN OR CLOSED from a code audit perspective. So many OSS fans refuse to accept this, and until they understand how you can get the code from the binary... it will continue to be a futile debate. Perhaps they need to get their own copy of the book :)

Securitydocs.com: The Information security library for the infosec pro

SecurityDocs.com is a directory of information security articles, white papers, and other documents that information security professionals find useful.

The value of SecurityDocs is that it collects white paper meta data from other popular security sources. This allows InfoSec professionals to browse by category or search for papers based on the category, description, title, rating, and other information specific to that paper. Allowing viewers the ability to rate and comment on papers gives future readers a better expectation of the papers value.

SecurityDocs is completely free and does not require registration before accessing any of the features.

From what I have quickly browsed through, it looks like a pretty good resource!

Windows Server 2003 Deployment Kit: Designing and Deploying Directory and Security Services

Microsoft has released a book describing how to design, deploy, upgrade to, or restructure to a Windows Server 2003 Active Directory environment. This book also describes how to design and deploy Windows Server 2003 distributed security services for authentication, access control, and certificate use.

Here is a brief outline of the contents:

• Book Cover (front)
  
• Introduction
  
• Part I: Designing and Deploying Directory Services
  
• Ch 1: Planning an Active Directory Deployment Project
  
• Ch 2: Designing the Active Directory Logical Structure
  
• Ch 3: Designing the Site Topology
  
• Ch 4: Planning Domain Controller Capacity
  
• Ch 5: Enabling Advanced Windows Server 2003 Active Directory Features
  
• Ch 6: Deploying the Windows Server 2003 Forest Root Domain
  
• Ch 7: Deploying Windows Server 2003 Regional Domains
  
• Ch 8: Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
  
• Ch 9: Upgrading Windows 2000 Domains to Windows Server 2003 Domains
  
• Ch 10: Restructuring Windows NT 4.0 Domains to an Active Directory Forest
  
• Ch 11: Restructuring Active Directory Domains Between Forests
  
• Ch 12: Restructuring Active Directory Domains Within a Forest
  
• Part II: Deploying Distributed Security Services
  
• Ch 13: Planning a Secure Environment
  
• Ch 14: Designing an Authentication Strategy
  
• Ch 15: Designing a Resource Authorization Strategy
  
• Ch 16: Designing a Public Key Infrastructure
  
• Ch 17: Planning a Smart Card Deployment
  
• Glossary
  
• Index
  

Part two of this book seemed more interesting to me in preparing the design and planning documents needed to create a sound foundation of distributed security services. Thought you guys might want to read Microsoft's take on it.

You can download the entire book here. Enjoy.

Forensic Analysis of a Live Linux System

I know I have had quite a few people interested in my presentation on doing a forensic analysis of a compromised Linux hard drive, and judging by the number of people that have asked for my presentation slide deck, there is a lot of interest in the subject.

SecurityFocus has recently published a pair of good articles on doing a forensic analysis of a LIVE Linux system. So where my presentations of grave robbing a dead drive goes down one path, these articles go down the other and allow you more in depth analysis of the running host. (Although I must admit, in practice, I am not one to allow a compromised system to stay up and running once its been determined to be breached.. I would rather mirror the system and then test it in an isolated environment... VMWare is your friend!)

Anyways, well worth the read... you should check it out:

• Forensic Analysis of a Live Linux System, Part One
  
• Forensic Analysis of a Live Linux System, Part Two

Improving Security Across the Software Development Lifecycle

On the heels of Gary's take on Processes to Produce Secure Software, the National Cyber Security Partnership (NCSP) Task Force has drafted some secure code guidelines. The preliminary recommendations provide the first in-depth look at improving security across the software development lifecycle.

The NCSP Task Force report makes four key recommendations:

• Improving the education of current and future software developers, including making security a core component of software and computing degree courses. This includes the development of a Software Security Certification Accreditation Program.
  
• Developing best practices for putting security at the heart of the software design process.
  
• Adopting a set of "Guiding Principles for Patch Management" to ensure patches are well-tested, small, localized, reversible and easy to install.
  
• Adopting an "Incentives Framework" that policymakers, developers, companies and others can use to develop effective strategies and incentives for making software more secure.

It would be interesting to see a vendor neutral Software Security Certification Accreditation Program. I am curious to see the course outline for that.

TCPA: The Mother(board) of all Big Brothers

Back in November I had a post about NGSCB and BIOS vendors in response to some paranoia Alan had and never got around to pointing out some of the benefits and drawbacks to trustworthy computing. I have been following the field of trusted computing for some time, especially how it relates to NGSCB in Longhorn and sometimes think more people need to know about it.

Recently I came across an old presentation done at Defcon X by Lucky Green on "Trusted Computing Platform Alliance: The Mother(board) of all Big Brothers". I even found the original slide deck which paints an interesting picture on the subject.

With information ranging from the Fritz chip (the Trusted Platform Module(TPM) that is being included in future motherboards) to the TCP boot process, there are some really good tidbits if you were new to the subject.

It even goes on to discuss the Fritz Hollings Bill (S. 2048) and issues with the GPL that HP has in developing a TCPA-compliant version of Linux. And as usual if the GPL is used in an article which relates to anything remotely dealing with Microsoft Stallman has to have his say... "Treacherous computing is a major threat to our freedom".

Anyways, if you are into learning more about TCPA or NGSCB you might be interested in this older, but still interesting slide deck on the subject. (PDF version of slides also available)

Test-Driven Development in Microsoft .Net

Been looking a lot into test driven development lately, especially the idea of integrating NUnit into our development process. There seems to be a great book on it entitled Test-Driven Development in Microsoft .Net which I will have to get once I finish reading Gary's book on Exploiting software: How to break code.

Before I get to trying some stuff with NUnit I really need to get our build system redone. Recently I saw an interesting post from Scott Hanselman about his integration of Nant, NUnit and CruiseControl. This is something I have been wrestling with for some time.

I have yet to find a good build system for my stuff. Right now I have a pretty frail set of perl scripts that does the following:

1. Check out code from SVN
   
2. Builds my kernel mode drivers via DDK (for W2K, WXP and W2K3 in three separate builds)
   
3. Runs prefast on my kernel code
   
4. Builds my .NET DLLs
   
5. Builds my C# Winforms apps
   
6. Runs FxCop (Fxcopcmd is your friend)
   
7. Runs DotNetfuscator (Community edition... which sucks)
   
8. Copies all files to an output directory
   
9. Run Wise MSI install builder (cmdline, yet still pops up a GUI progress bar, *sigh*)
   
10. Copy MSI to CD build directory
    
11. Create ISO (still haven't found a good cmd line ISO builder that is free... currently must use mkisofs through cygwin)
    

Sounds simple enough... except that there are like 4 different perl scripts there that don't play nice together. And the whole thing requires a person at the console during the build (mostly because DotNetfuscator sucks in its requirements to run). I don't have a single automated build environment to properly know not to build the .NET side if the DDK side pukes. I know I can tweak the perl scripts better to make it more intelligent, but quite frankly I would rather find a better way to do it. And this breaks my cardinal rule to always be in a shippable state with the execution of one command. And right now daily builds are right out. (Which really annoys me)

Right now I am trying to see if there is any way I could hack together a solution to somehow do DDK builds executed from Nant. Not even sure thats possible, but its worth investigating.

Anyone else out there dealing with this challenge? How the heck can you get DDK code and .NET code to build in the same environment.

The next couple of days I think I might at the very least see if I can merge all the .NET stuff into a single Nant build script. I will need to figure some way of dropping DotNetfuscator and finding a cmdline obfuscator which doesn't require visual studio to be running. Will let you know how it goes.

MSDN Webcast Review: Top 10 Ways to Secure your Desktop App in .NET

Going into this webcast today I didn't know what to expect. It was rated as a technical presentation, and I was interested in seeing how much I could apply to my winform apps. I have found a lot of Microsoft's webcasts on .NET security focus so much on web services they completely forget some people actually are trying to replace MFC applications with .NET Winforms.

With very little expectations going into this thing, I couldn't really be disappointed. This presentation was pretty good, although I must admit my mind wandered off a few times. Don't know why. He wasn't boring. But he wasn't all that exciting either.

I did like the discussion on declarative security and showing how to use principle permissions within code. I do that now by using the WindowsPrinciple roles to determine access restrictions directly within the form, but it was neat to see how he applied it directly to functions with things like <PrinciplePermission(Security.Demand...>

In the next few days the presentation will be online on-demand here, which will let you check it out for yourself. In the meantime, I kept a copy of the power point slides of the presentation, which you can get here.

Hmmm, I am starting to amass a little library of MSDN security webcasts. If you want to get the sliddecks of some of the other presentations I attended, hit the search box on the bottom right and type in "MSDN Webcast Review".

Building Security In: Misuse and Abuse Cases

Gary gave a heads up on the SC-L that an advanced copy of his second installment about Building Security In is complete. The article, entitled "Abuse and Misuse: Getting Past the Positive" is copyright (c) by the IEEE and will be published in Volume 2, Number 3 (May/June) of the IEEE Security & Privacy magazine.

This series of articles is good to see in an IEEE publication. And from what I have seen from this advanced copy of the article, I can't wait for future installments. Oh yes I can... I am only halfway done Gary's other book.

Lies, Damn Lies, and Statistics

If you recall my posting last week, I talked about Bill Gates' email revisiting Microsoft's ongoing security initiatives. Near the end I pointed out some of the stats that Bill used to show the significant reduction in serious security related vulnerabilities of Windows Server 2003 in the first 320 days compared to the same time period for Windows 2000.

Well according to an article at vnunet.com Joe Wilcox, an analyst with Jupiter Research, commented that Gates "must have a different way of counting", and refutes Bill's stats. Suprise suprise.

Wilcox said he counted 15 security alerts for Windows Server 2003 since the product shipped in April 2003, which rose to more than 20 when products integrated into Windows, such as Internet Explorer Server 2003, were taken into consideration.

"I figure where there is one counting disagreement, there might be another. So I went back and counted up those Windows 2000 Server security alerts. I came up with 28 during the same span of time I got 15 for Windows Server 2003. Windows 2000 Server reached 15 alerts seven months after launch," he said.

Something else I found interesting was that he added that an upcoming Jupiter Research report on Microsoft security reveals that a mere 36 per cent of IT managers from businesses with revenue of $50m or more feel that Microsoft product security has improved.

So... what have we learned here? 82% of stats cannot be trusted. But don't quote me on that. I made it up. :)

FxCop 1.3 Is out.. and it rox!

OK. Kudos to the FxCop team.

First off, I need to thank them for sending me this kewl t-shirt. Nice little Microsoft logoware with an FxCops twist. I appreciate it. Thanks Mike!

Secondly... I installed the latest build(1.30) today and see that they fixed the biggest issue I had! It no longer locks my assemblies. So I now have FxCop running along side of Visual Studio! Next job is to figure some way to get it to execute on a post-build event so I can run it through FxCop after each major compile.

And who says Microsoft doesn't always listen?

Open Source Vulnerability Database Goes Live

Heard today that the Open Source Vulnerability Database (OSVDB) has gone live. Congratulations guys!

OSVDB is an independent and open source database created by and for the community. Their goal is to provide accurate, detailed, current, and unbiased technical information about vulnerabilities. Tools like snort and nessus are now incorporating the database directly into their products.

I really like the idea of OSVDB, but wish they could work more closely with CERT and the Common Vulnerabilites and Exposures (CVE) database. We don't need yet another database. We need a vendor neutral one that everyone is willing to follow and support.

They say the overall goals of the project are to promote greater, more open collaboration between companies and individuals, eliminate redundant works, and reduce expenses inherent with the development and maintenance of in-house vulnerability databases. I think time will tell if they are actually going to meet these goals in relation to the already available systems out there.

<RANT>
This is one of the things I sometime feel is a double edges sword for OSS. (Compounded in the last 5 years with the growth of Linux) If someone doesn't like the way its done, they can branch and go do it themselves. Yet rarely do these projects last very long. Unless the branch gets a good following, boredom, other priorities or life in general seems to kill off the project. Freshmeat and Sourceforge continue to show how this plagues the community, and I just don't get it.

A lot of people don't always agree with the way CVE runs, but it works. And has worked for some time. And it is already integrated into tools like nessus. Why do we need another one? Lets focus on making one GREAT.
</RANT>

Anyways, I mean no disrespect to the group over at OSVDB. As I said, I like the idea... just wish energies could be focused on one database we can all tap into. OSS or not.

Code Secure: Michael Howard talks about security changes in VS2005

MSDN recently published an article Michael wrote giving an overview of the security changes happening in the Visual Studio 2005 C runtime and C++ standard template libraries.

It is interesting to see some of the cleanup that is occuring in the libraries, especially CRT. Of course, this basically misses me. On one end I write in raw C inside the Windows kernel at ring0, and C# on the use mode ring 3 level. But alas, some really good insight to the moves Microsoft is making in the core C runtime library.

Enjoy.

Computer Forensics, Cybercrime and Steganography Resources

This morning I opened up my mailbox to find an email from Jacco Tunnissen over at honeypots.net letting me know that my Linux harddrive forensic analysis presentation (slide deck here) is now being linked on the Computer Forensics, Cybercrime and Steganography Resources page.

One of these days I will have to update that to include a bit more of the actual demo, since its the demo that actually shows how to do the analysis. Once you actually SEE a MAC timeline created live and then do a block my block analysis things start to make a bit more sense.

Anyways, I checked out the page and there are some really good links in there. If you are into computer forensics I highly recommend you check some of them out at www.forensics.nl.

MSDN Webcast: Dave's Top Ten Ways To Secure Your Desktop App

Next Monday from 9am to 10:30 (PST) there is going to be a security webcast on MSDN that relates to how you can secure a desktop application using the architecture in .NET. In this webcast, you will see some practical best practices for securing your .NET desktop application.

The following topics will be covered:

1. Store non-volatile user-specific data in isolated storage
   
2. Use Integrated Security and Role Based Authorization through Windows Groups
   
3. Use COM+ Role-based security as a middle-tier solution
   
4. Assign strong-names to your re-usable assemblies
   
5. Use Link Demands and strong names to secure what code calls your assembly
   
6. Use Remoting as your middle tier via HTTP Channel, IIS and SSL
   
7. Run your code from a restricted code group especially when using LoadFrom()
   
8. Create an AppDomain to achieve a security boundary within your application
   
9. Use Impersonation to allow code to run under an account that can access specified resources
   
10. Use the Framework - DON'T REINVENT THE WHEEL!
    

If you are interested in attending this FREE seminar, you can sign up here. Unlike some of the previous ones I have attended, this one promises to be a bit more technical, with a rating of 300.

If you can't make it don't fret! They will have it available later for download. Of course, I will summarize the experience when I am done if you just want the highlights!

Processes to Produce Secure Software

Gary fired off a message to SC-L pointing out that the National Cyber Security Partnership released a set of reports about the problems with software security today. Included was a report that he co-authored with Mike and a few others on the process of producing secure software.

The principal recommendations in this report are in three categories:

1. Principal Short-term Recommendations
   • Adopt software development processes that can measurably reduce software specification, design, and implementation defects.
     
   • Producers should adopt practices for producing secure software
     
   • Determine the effectiveness of available practices in measurably reducing software security vulnerabilities, and adopt the ones that work.
     
   • The Department of Homeland Security should support USCERT, IT-ISAC, or other entities to work with software producers to determine the effectiveness of practices that reduce software security vulnerabilities.
2. Principal Mid-term Recommendations
   • Establish a security verification and validation program to evaluate candidate software processes and practices for effectiveness in producing secure software.
     
   • Industry and the DHS establish measurable annual security goals for the principal components of the US cyber infrastructure and track progress.
     
3. Principal Long-Term Recommendations
   • Certify those processes demonstrated to be effective for producing secure software.
     
   • Broaden the research into and the teaching of secure software processes and practices.

I took a quick look at it just at the end of lunch, and it looks pretty good. I will take a more thorough read of it this afternoon after I finish up on some threat modeling I am currently doing.

Happy reading!