patterns & practices Security Engineering Index

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Kishore Gopalan

Microsoft Corporation

August 2005

Summary

This page provides an index to available and emerging guidance for patterns & practices Security Engineering. To meet your security objectives, security engineering activities must be an integral part of your software development practices. patterns & practices Security Engineering builds on, refines, and extends core life cycle activities to create security-specific activities. You can adopt these activities incrementally as you see fit. These security activities are integrated in MSF Agile, available with Visual Studio Team System. This provides tools, guidance, and workflow to help make security a seamless part of your development experience.

Contents

Security Engineering Approach
Security Engineering Overviews
Security Objectives
Security Design Guidelines
Threat Modeling
Security Architecture and Design Reviews
Security Code Reviews
Security Deployment Reviews
Security Guidelines
Security Practices

Security Engineering Approach

patterns & practices Security Engineering includes specific security-related activities that help you meet your application security objectives as shown in Figure 1.

Security Overlay

Ff648032.securityinlifcycle(en-us,PandP.10).gif

Figure 1. Security activities in the application development life cycle

There is a core set of activities common to application development approaches, such as architecture and design reviews, code reviews and deployment reviews. patterns & practices Security Engineering extends these proven core activities to create security specific activities. These activities include:

  • Security objectives.
  • Threat modeling.
  • Security design guidelines.
  • Security architecture and design reviews.
  • Security code reviews.
  • Security testing.
  • Security deployment reviews.

Security Engineering Overviews

To design, build, and deploy secure applications, you must integrate security into your application development life cycle and adapt your current software engineering practices and methodologies to include specific security-related activities. The following overview shows you how to integrate security into your application development:

The following index provides an entry point for security engineering guidance focused on Web applications:

Security Objectives

Setting objectives helps you scope and prioritize your work by setting boundaries and constraints. Setting security objectives helps you identify where to start, how to proceed, and when you are done.

Security Design Guidelines

Creating design guidelines is a common practice at the start of an application project to guide development and share knowledge across the team. Effective design guidelines for security organize security principles, practices, and patterns by actionable categories. See the following security design guidelines resource:

Threat Modeling

Threat modeling is an engineering technique that can help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk. See the following Threat Modeling resource:

Security Architecture and Design Reviews

Security architecture and design reviews are an effective way to identify problems in your application design. By using pattern-based categories and a question-driven approach, you simplify evaluating your design against root cause security issues. See the following security architecture and design review resources:

Index

How To

Checklists

Security Code Reviews

Many security defects are found during code reviews. Analyzing code for security defects includes knowing what to look for and how to look for it. Security code reviews optimize reviewing code for common security issues. See the following security code review resources:

Index:

Baseline Code Review Activity:

Question Lists:

Specific Issues:

Checklists:

.NET Framework Version 1.1 Code Review Guidance:

Security Deployment Reviews

When you deploy your application during your build process or staging process, you have an opportunity to evaluate runtime characteristics of your application in the context of your infrastructure. Deployment reviews for security focus on evaluating your security design and configuration of your application, host, and network. See the following deployment review resources:

Index

How To

Checklists

Security Guidelines

You can use Security Guidelines guidance modules to support the activities above. Security Guidelines are specific, actionable recommendations at the implementation level. Each recommendation is presented to address "what to do", "why", and "how." The recommendations are principle-based and they are organized using pattern-based categories for easy consumption.

Security Practices

You can use Security Practices guidance modules to support the activities above. Security Practices are proven and emerging practices expressed as precisely as possible. Each practice is presented using a problem and solution format and the set of practices are organized using pattern-based categories.

.NET Framework 1.1:

  • Security Practices: .NET Framework 1.1 Security Practices at a Glance [Content link no longer available, original URL:https://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMGlance.asp]

.NET Framework 2.0

Feedback

Provide feedback by using either a Wiki or e-mail:

We are particularly interested in feedback regarding the following:

  • Technical issues specific to recommendations
  • Usefulness and usability issues

Contributors and Reviewers

  • External Contributors and Reviewers: Jason Taylor, Security Innovation
  • Microsoft IT Contributors and Reviewers: Shawn Veney
  • Microsoft Product Group Contributors and Reviewers: Don Willits
  • Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
  • Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
  • Release Management: Sanjeev Garg, Microsoft Corporation

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.