How Do I Videos - Security

banned.h Header File Overview

Fri, 4 Mar 2011 15:25:18 +0530

The banned.h header file is a sanitizing resource, which helps deprecate unsafe functions, a security practice during the Implementation phase of the Security Development Lifecycle (SDL). banned.h lists all banned APIs and allows any developer to locate them in code.

Related resources:

Code Analysis Tool .NET (CAT.NET) Overview

Fri, 4 Mar 2011 01:59:40 +0530

Code Analysis Tool .NET is a command line tool that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. CAT.NET also helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection. It is used during the Implementation phase of the Microsoft Security Development Lifecycle (SDL). It is available in both 32-bit and 64-bit versions.
Related resources:

MiniFuzz File Fuzzer Overview

Fri, 4 Mar 2011 00:30:25 +0530

MiniFuzz File Fuzzer is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.
Related Resource:

SDL Process Template for Visual Studio Team System Overview

Fri, 4 Mar 2011 00:19:23 +0530

The SDL Process Template for VSTS is a downloadable template that leverages the technology of Visual Studio Team System (VSTS) and Team Foundation Server (TFS) to automatically integrate the policy, process and tools associated with the Security Development Lifecycle (SDL) into your software development environment.
Related Resources:

Code Analysis for C/C++ Overview

Tue, 1 Mar 2011 07:34:31 +0530

Code Analysis for C/C++ is a static analyzer that is provided with the installation of Visual Studio Team System or Visual Studio Team Suite, that provides information to developers about possible vulnerabilities in their C/C++ source code. Common coding errors reported by the tool include buffer overruns, un-initialized memory, null pointer dereferences, and memory and resource leaks.

Related resources:

SiteLock ATL Template Overview

Tue, 1 Mar 2011 07:26:04 +0530

SiteLock ATL (Active Library Template) enables an ActiveX developer to restrict access so that a control is only deemed safe when used in a predetermined list of domains. This limits the ability of Web page authors to reuse the control for malicious purposes. This tool is to be used during the Implementation phase of the Microsoft Security Development Lifecycle (SDL).

Related resources:

SDL Threat Modeling Tool Overview

Tue, 1 Mar 2011 07:03:24 +0530

The SDL Threat Modeling Tool helps automate threat modeling, a security practice in the design phase of the Microsoft Security Development Lifecycle (SDL). The SDL Threat Modeling Tool is the first threat modeling tool which isn't designed for security experts. It makes threat modeling easier for all developers by providing guidance on creating and analyzing threat models.

Related resources:

BinScope Binary Analyzer Overview

Tue, 1 Mar 2011 02:56:46 +0530

BinScope Binary Analyzer is a verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with the Microsoft Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used. BinScope also reports on dangerous constructs that are prohibited by SDL. Related resources: Microsoft Security Development Lifecycle Tools The Verification Phase of the Microsoft SDL

Related resources:

FxCop Overview

Tue, 1 Mar 2011 00:33:28 +0530

FxCop is a tool that performs static code analysis of .NET code. It provides hundreds of rules that perform various types of analysis, to include Design, Globalization, Interoperability, Maintainability, Mobility, Naming, Performance, Portability, Reliability, Security, and Usage. The FxCop functionality is fully integrated into Visual Studio 2010 Premium and Ultimate editions. For more detailed information please consult the Visual Studio 2010 MSDN documentation.
Related resources:

SDL Regex Fuzzer Overview

Tue, 1 Mar 2011 00:28:55 +0530

SDL Regex Fuzzer is a tool to be used during the Verification phase of Microsoft Security Development Lifecycle (SDL). It can help test regular expressions for these potential vulnerabilities. Regular expression patterns containing certain clauses that execute in exponential time (for example, grouping clauses containing repetition that are themselves repeated) can be exploited by attackers to cause a denial-of-service (DoS) condition.
Related resources:

Anti-Cross Site Scripting (Anti-XSS) Library Overview

Tue, 1 Mar 2011 00:21:17 +0530

Anti-XSS Library is specifically designed to help mitigate the potential of Cross-Site Scripting (XSS) attacks in web-based applications. This version also includes the Security Runtime Engine (SRE) that runs as an HTTP module to provide a level of protection against XSS without the need to recompile the application.
Related resources:

How Do I: Apply SDL Verification practices within Windows Azure?

Sat, 26 Feb 2011 01:23:16 +0530

In this video, Aviram Jenik, CEO, Beyond Security, talks about applying Microsoft Security Development Lifecycle Verification practices to applications built on top of Windows Azure applications. Aviram explains how “black box” testing concept is increasingly relevant in the world of cloud-based applications, mentions classic user input attacks such as SQL injection and Cross Site Scripting (XSS), and enumerates different inputs that should be focused on with Windows Azure-based applications. Related resources:

How Do I: Perform the verification phase of the Microsoft SDL?

Sat, 26 Feb 2011 01:20:07 +0530

In this video, Aviram Jenik, CEO, Beyond Security, talks about security practices of the Verification phase of the Microsoft Security Development Lifecycle. Aviram discusses more specifically the concept of “black box” testing, explains the importance of testing data entry endpoints with good, bad and fuzzed input, and points to the tools that can assist with these tasks. On a practical side, Aviram shows a detailed demo of “JPG fuzzing”, generating malformed images, and identifying vulnerabilities in image processing application. Related resources:

MSF-Agile+SDL Process Template for Visual Studio Team System Overview

Sat, 26 Feb 2011 01:03:22 +0530

The MSF-Agile+SDL Process Template for Visual Studio Team System 2008 and 2010 is a Team Foundation Server downloadable template that automatically incorporates the policy, process and tools associated with the SDL for Agile development guidance into the familiar Microsoft Solutions Framework (MSF) for Agile software development (MSF-Agile) process template that ships with Visual Studio Team System.

Related resources:

How Do I: Perform the release phase of the Microsoft SDL?

Fri, 25 Feb 2011 03:42:04 +0530

In this video, Jason Glassberg, Co-Founder, Casaba, discusses the security practices of the Release phase of the Microsoft Security Development Lifecycle (SDL): Incident response plan, Final Security Review, Release Archive.

Related resources:

How Do I: Apply SDL Release practices within Windows Azure?

Fri, 25 Feb 2011 01:12:00 +0530

In this video, Jason Glassberg, Co-Founder, Casaba, speaks about how to apply the Microsoft SDL release phase practices to applications built on top of Windows Azure: File an Incident Response Plan, Perform a Final Security Review and Release Archive. Jason explains that the Microsoft Security Development Lifecycle (SDL) can apply to any cloud-based deployment, but focuses on Windows Azure, explaining that the steps are very similar to a typical on-premises application. In Azure, the importance of understanding the platform is doubly-important in preparing an Incident Response Plan because rollback and stopping of deployment is vastly simpler than in on-premises or full-platform hosted deployment. Because Azure makes it so simple to deploy applications, Jason emphasizes the importance of reviewing the deployment and securing deployment-related artifacts such as management accounts, access to Service Management API and SSL certificates used by applications.

Related resources:

How Do I: Perform the design phase of the Microsoft SDL?

Thu, 24 Feb 2011 23:54:23 +0530

In this video, Joe Basirico, Director of Security Services, Security Innovation, speaks about the security practices of the Design phase of the Microsoft Security Development Lifecycle (SDL). Joe explains how designing secure systems sometimes requires thinking “backwards” - instead of focusing on features of what the system should do, one should think of what the system should NOT do. Taking this as a departing point, Joe dives into a discussion of foundational design principles of building secure software, including least privilege, compartmentalization, input validation, auditing and logging, cryptography and avoiding the “Not Invented Here” trap.

Related resources:

How Do I: Apply SDL Implementation practices within Windows Azure?

Thu, 24 Feb 2011 18:01:54 +0530

In this video, Peter Oehlert, Senior Security Consultant, iSEC Partners, explains how to apply the Implementation practices of the Microsoft SDL to building Windows Azure application. He starts first by defining both the similarities and key differences between implementation of on-premises solutions and Windows Azure-based applications. Peter dives into specific tools that can be of use to secure implementation of applications on Windows Azure, including Checkmarx, Coverity and Veracode. The conversation then moves to properly implementing defenses against usual web threats (SQL injection, XSS, authentication, etc.) in the Windows Azure web applications.

Related resources:

How Do I: Apply SDL Design practices within Windows Azure?

Wed, 23 Feb 2011 15:09:18 +0530

In this video, Joe Basirico, Director of Security Services, Security Innovation, speaks about mapping security practices from the Design phase of the Microsoft SDL to software targeting Windows Azure platform. Joe highlights what changes and what does not change for the application design when application is moving to the cloud, and then digs deeper into those areas, including impact the Azure VM model brings to the application trust, designing for secure storage, and claims-based authorization. Joe then focuses on discussion of the cryptography, explaining the pitfalls of rolling your own and suggest designs for securing key infrastructure.

Related resources:

How Do I: Apply SDL Requirements practices within Windows Azure?

Mon, 21 Feb 2011 13:56:50 +0530

In this video, Chris Weber, Managing Partner and Robert Mooney, Senior Software Development, Casaba, speak about applying Microsoft SDL Requirements security practices to applications built on top of Windows Azure. The presenters explain the similarities and differences in planning for security and privacy when deploying to Windows Azure, and explain how to map the existing and new risks to the cloud-based environment.

Related resources:

How Do I: Perform the requirements phase of the Microsoft SDL?

Mon, 21 Feb 2011 13:55:38 +0530

Related resources:

Reducing your Application's Attack Surface

Tue, 1 Feb 2011 01:34:10 +0530

The attack surface of an application is the set of ways in which an adversary can enter your software and potentially cause damage. The larger the attack surface, the more insecure the software. This webcast will present best practices for minimizing code exposed to untrusted users and protect against vulnerabilities and threats that you don’t know about.

Security Innovation video: A Proactive Approach to Building a Successful Security Development Lifecycle

Mon, 31 Jan 2011 16:05:47 +0530

A good offense starts with security as part of the whole development lifecycle and requires specialized security knowledge and tools that organizations can adopt quickly and with minimal disruption to their development process. Three industry leaders discuss why and how you can get your organization on the right path

The Art of Identifying, Assessing and Mitigating Software Risk

Mon, 31 Jan 2011 11:41:46 +0530

Threat modeling is a key and powerful component of software risk management that organizations can use to identify risks and make better security decisions throughout design, coding, testing, and deployment. This Webcast will demonstrate how to characterize your business and technology from an attacker's viewpoint and determine the myriad of threats to your enterprise or application.

Writing Secure Code in ASP.NET

Mon, 31 Jan 2011 11:20:31 +0530

This webcast, delivered by a seasoned developer and software security expert, addresses common coding pitfalls and design errors and offers practical techniques developers can employ to minimize the likelihood of introducing vulnerabilities into their ASP.NET code.

Six Key Security Activities for Software Engineering and Development

Mon, 31 Jan 2011 10:59:07 +0530

Adopting a security engineering mindset to application development means that security is considered from project inception through deployment. This webcast will present six security engineering activities that can be leveraged to refine and extend their existing life cycle activities.

Hunting Down Vulnerabilities in your Code: Effective Review Techniques

Sat, 29 Jan 2011 03:22:44 +0530

A security-focused code review is one of the most important activities that you and your team can do in order to improve the security of your software. You can use a security code review to find vulnerabilities in code that is not yet ready to test or to find problems that would be very hard to find with testing techniques. This webcast describes the activities, process and tools that you need to find security problems in your code quickly and effectively.

How Do I: Use the Web Protection Library a.k.a Anti-XSS Library?

Thu, 17 Dec 2009 01:07:25 +0530

MSDN – Security
This video shows the additions to the Anti-XSS Library, as the new Web Protection Library (WPL) tool provides protection beyond just XSS vulnerabilities. It describes the Security Runtime Engine (SRE) and the Encoding Library. The latter contains HTML, LDAP and CSS encoding methods.
A CSS encoding sample is shown as well as a SRE demo on an e-commerce site showing how you can detect a real-time SQL Injection attack.
Download CTP: Microsoft Connect - Information Security Tools
Blogs on WPL: Security Tools
WPL Videos: Channel9
More: www.msinfosec.com

How Do I: Identify and Fix Configuration Issues with WACA?

Thu, 17 Dec 2009 00:58:48 +0530

MSDN – Security
This video shows how WACA (Web Application Configuration Analyzer) helps developers and testers try their applications in a secure environment. It also helps guarantee they will work in production with production configurations while unit testing.
This shows a quick demo of the application scanning a machine and it explains the scan results and shows how you can map it to TFS (Team Foundation Server).
Download CTP: Microsoft Connect - Information Security Tools
Blogs on WACA: Security Tools
WACA Videos: Channel9
More: www.msinfosec.com

How-Do-I: Sanitize HTML Using Anti-XSS Library 3.1?

Thu, 8 Oct 2009 01:36:58 +0530

The Microsoft Anti-Cross Site Scripting Library V3.1 (Anti-XSS V3.1) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. The library helps you protect your current applications from cross-site scripting attacks; at the same time it helps you to protect your legacy application with its Security Runtime Engine (SRE).

This new version of the Anti-XSS Library provides new features like HTML Sanitization which provides two new methods (AntiXss.GetSafeHtml and AntiXss.GetSafeHtmlFragments) to the Anti-XSS class to strip malicious characters or scripts off of HTML and returns safe HTML.

To learn more about this application and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog
Download Anti-XSS Library

How Do I: Defend Against Truncation-Based SQL Injection Attacks?

Sat, 11 Jul 2009 04:16:07 +0530

Escaping single quote characters is sometimes used as mitigation for SQL injection vulnerabilities. On the other hand, when data assigned to a SQL Server character variable exceeds the defined length for that variable, the extra characters get truncated. This video demonstrates how this property of truncation may be used by an attacker to circumvent the above mentioned mitigation, resulting in a SQL injection attack. Various options of fixing SQL injection issues are also discussed.

How Do I: Secure SQL Server using SQL Server 2008 Policy Based Management?

Sat, 11 Jul 2009 01:53:28 +0530

SQL Server 2008 introduced a new feature known as Policy Based Management (PBM). This feature allows us to create policies for our SQL server instance. Few important features of Policy Based Management are:
- It is similar to group policy feature provided by Windows
- We can create SQL Server Policies and deploy these policies across multiple servers
- Policies can be scheduled or we can run them on demand
- Policy can also rollback the transaction (policy violating transactions) with raising an error
In this video I’ll showcase how we can leverage Policy Based Management to secure our SQL server environment. I’ll introduce you with these basics of PBM and we will see how we can build policies related to SQL server security and assess those policies on our SQL Server instance.

How Do I: Change Default Work Items in the SDL Process Template?

Tue, 19 May 2009 15:20:45 -0700

This video will show you how to modify the default work items that are included in the SDL Process Template. We will cover how to modify the default work items that are created in your new SDL Process Template team project. We will also review how to modify the default work item types - such as Task or Bug. The Microsoft SDL Process Template for Visual Studio Team System was created to ease adoption of the SDL by automatically integrating the policy, process and tools of the Security Development Lifecycle v4.1 into Visual Studio Team System 2008.

How Do I: Use the SDL Process Template Documentation and Reporting?

Tue, 19 May 2009 15:20:45 -0700

This video will show you how to use the SDL Process Template document templates and security metrics reporting. The built in SDL document templates will help you jump start your use of the Microsoft SDL. The reporting will allow you to improve your visibility into the key security risks for your application and the progress your team is making toward their security goals. The Microsoft SDL Process Template for Visual Studio Team System was created to ease adoption of the SDL by automatically integrating the policy, process and tools of the Security Development Lifecycle v4.1 into Visual Studio Team System 2008.

How Do I: Set Up the SDL Process Template?

Tue, 19 May 2009 15:20:45 -0700

In this video we will first show you how to install the SDL Process Template. Then we will walk you through how to begin using it in your new project. The Microsoft SDL Process Template for Visual Studio Team System was created to ease adoption of the SDL by automatically integrating the policy, process and tools of the Security Development Lifecycle v4.1 into Visual Studio Team System 2008.

How Do I: Improve My Check-In Process?

Tue, 19 May 2009 15:20:45 -0700

In this video we will introduce you to the SDL Process Template check-in policies and then show you how to enable the check-in policies for yourself and your team. Finally, we will demonstrate the check-in policies in action as well as how you can be alerted when someone overrides a check-in policy.

How Do I: Evaluate my site’s performance with neXpert?

Sun, 22 Feb 2009 15:20:45 -0700

This How-Do-I video shows you how to use neXpert, an add-on to Fiddler, which automates the classic performance best practice checks and produces a HTML report on the issues found in a Fiddler capture. neXpert adds the ability to insert step markers in Fiddler sessions to associate network objects together (create transactions). Using these steps, neXpert looks for performance issues and generates a HTML report based on the findings.

How Do I: Use .NET Framework’s Code Access Security?

Thu, 5 Feb 2009 15:20:45 -0700

As you know, if you use .NET Framework, you can already develop in Azure. That's great news as you can apply these techniques to your cloud app. Join Katheryn Baker as she explains the basics of the integrated security model, Code Access Security, in the .Net Framework. Learn more about how Code Access Security works conceptually, and how to implement it with a simple application.

How Do I: Use Smart Encryption Techniques for Cloud Apps?

Thu, 5 Feb 2009 15:20:45 -0700

As you know, if you use Visual Studio, you can already develop in Azure. That’s great news as you can apply encryption to your cloud app. Join Katheryn Baker as she explains the basics behind encryption algorithms and practices used to create cryptographic schemes. Learn more about symmetric and asymmetric encryption algorithms, the SHA256 hash encryption algorithms, and how to implement in a simple application.

How Do I: Use .NET Framework’s Code Access Security?

Thu, 5 Feb 2009 15:20:45 -0700

How Do I: Export and Import Certificates?

Tue, 25 Mar 2008 15:21:34 -0700

In this How-Do-I video, Lamees Ayman will show us how to export and import certificates.

How Do I: Attach Client Credentials to a Web Service Call For Security?

Tue, 25 Mar 2008 22:54:31 -0800

Create an ASP.NET 2.0 Web reference and a Windows Communication Foundation service reference to an ASMX Web service using Visual Studio 2008. Join Rob Windsor as he demonstrates this and how to attach client credentials to calls made to the service using both kinds of client-side proxy.

How Do I: Secure Data Using Asymmetric Key Encryption?

Tue, 4 Mar 2008 22:54:01 -0800

In this how-to video, Remon Zakaria will demonstrate how to secure your data by encrypting it using Asymmetric encryption algorithms.

How Do I: Secure Passwords Using Hashing Algorithms?

Tue, 4 Mar 2008 22:54:31 -0800

In this how-to video, Remon Zakaria will remind us with the symmetric key encryption techniques in .Net framework 2.0.

How Do I: Secure Data Using Symmetric Key Encryption?

Tue, 4 Mar 2008 22:53:22 -0800

In this how-to video, Remon Zakaria will remind us with the symmetric key encryption techniques in .Net framework 2.0.

How Do I: Add Security to Applications Built with Visual Basic.Net and C#?

Tue, 12 Feb 2008 17:33:44 -0800

In this video Will DePalo demonstrates how to add security to the applications that you build with Visual Basic.Net and C# by having multiple parties digitally sign documents to insure message integrity and authenticity.

How Do I: Create a Generic Principal for Role Based Security?

Tue, 12 Feb 2008 17:32:59 -0800

Using the GenericPrincipal class, you can create an authorization scheme that exists independent of a Windows NT or Windows 2000 domain or simply use your own custom role scheme. In this video, Todd Miranda demonstrates how to create and use a Generic Principal.

How Do I: Create a Windows Principal for Role Based Security?

Tue, 12 Feb 2008 17:32:21 -0800

Using the WindowsPrincipal class, you can create an authorization scheme that ties into a Windows NT or Windows 2000 domain. In this video, Todd Miranda demonstrates how to create and use a Windows Principal.

How Do I: Perform Imperative Security Checks?

Tue, 12 Feb 2008 17:31:44 -0800

Restricting access to code that could potentially be used to perform malicious actions is often overlooked but very important. Imperative security checks allow you to protect your application code by requiring appropriate permissions prior to execution. In this video, Todd Miranda demonstrates how to perform imperative

How Do I: Add Hashing to Existing Application?

Tue, 12 Feb 2008 17:30:50 -0800

In this video, Eric Marvets shows us how to add a hashing routine to an existing application.

How Do I: Improve Cryptographic Security by Storing Keys in Containers?

Tue, 12 Feb 2008 17:29:40 -0800

One of the challenges of encrypting data with keys is determining where to store the keys securely. You can store keys in named containers. These named containers utilize Windows security to securely store cryptographic keys. In this video, Todd Miranda demonstrates how to store asymmetric keys in a key container.

How Do I: Create a Secure Custom Membership Provider?

Tue, 5 Feb 2008 18:37:49 -0800

In this how-to video, Remon Zakaria will remind us with the SQL Membership provider and show us how to create a custom Membership provider that does the same job as the SQL Membership Provider.

How Do I: Improve Data Security by Encrypting and Decrypting XML Data Using Asymmetric Keys?

Tue, 5 Feb 2008 18:37:19 -0800

Transmitting and saving XML data is very popular but the plain text nature of XML makes using it for sensitive data difficult. Encrypting XML data is not difficult with the objects available in .NET. In this video Todd Miranda demonstrates how to encrypt and decrypt XML data using Asymmetric Keys.

How Do I: Improve Data Security by Encrypting and Decrypting XML Data Using Symmetric Keys?

Tue, 5 Feb 2008 18:36:43 -0800

How Do I: Integrate SqlMembership Provider into My Existing Database?