patterns & practices Security Engineering Index

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Kishore Gopalan

Microsoft Corporation

August 2005

This page provides an index to available and emerging guidance for patterns & practices Security Engineering. To meet your security objectives, security engineering activities must be an integral part of your software development practices. patterns & practices Security Engineering builds on, refines, and extends core life cycle activities to create security-specific activities. You can adopt these activities incrementally as you see fit. These security activities are integrated in MSF Agile, available with Visual Studio Team System. This provides tools, guidance, and workflow to help make security a seamless part of your development experience.

Security Engineering Approach
Security Engineering Overviews
Security Objectives
Security Design Guidelines
Threat Modeling
Security Architecture and Design Reviews
Security Code Reviews
Security Deployment Reviews
Security Guidelines
Security Practices

patterns & practices Security Engineering includes specific security-related activities that help you meet your application security objectives as shown in Figure 1.

Figure 1. Security activities in the application development life cycle

There is a core set of activities common to application development approaches, such as architecture and design reviews, code reviews and deployment reviews. patterns & practices Security Engineering extends these proven core activities to create security specific activities. These activities include:

• Security objectives.
• Threat modeling.
• Security design guidelines.
• Security architecture and design reviews.
• Security code reviews.
• Security testing.
• Security deployment reviews.

To design, build, and deploy secure applications, you must integrate security into your application development life cycle and adapt your current software engineering practices and methodologies to include specific security-related activities. The following overview shows you how to integrate security into your application development:

• Security Engineering Explained

The following index provides an entry point for security engineering guidance focused on Web applications:

• patterns & practices Web Application Security Engineering Index

Setting objectives helps you scope and prioritize your work by setting boundaries and constraints. Setting security objectives helps you identify where to start, how to proceed, and when you are done.

Creating design guidelines is a common practice at the start of an application project to guide development and share knowledge across the team. Effective design guidelines for security organize security principles, practices, and patterns by actionable categories. See the following security design guidelines resource:

• Security Design Guidelines for Web Applications

Threat modeling is an engineering technique that can help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk. See the following Threat Modeling resource:

• Threat Modeling Web Applications

Security architecture and design reviews are an effective way to identify problems in your application design. By using pattern-based categories and a question-driven approach, you simplify evaluating your design against root cause security issues. See the following security architecture and design review resources:

Index

• Security Architecture and Design Review Index

How To

• Security Architecture and Design Review for Web Applications

Checklists

• Security Checklist: Web Application Security Architecture and Design Review

Many security defects are found during code reviews. Analyzing code for security defects includes knowing what to look for and how to look for it. Security code reviews optimize reviewing code for common security issues. See the following security code review resources:

Index:

• Security Code Review Index

Baseline Code Review Activity:

• How To: Perform a Security Code Review for Managed Code (Baseline Activity)
• At a Glance: Security Code Review

Question Lists:

• Security Question List: ASP.NET 2.0
• Security Question List: Managed Code (.NET Framework 2.0)

Specific Issues:

• Security Code Review for Cross-Site Scripting
• Security Code Review for SQL Injection

Checklists:

• Security Checklist: .NET Framework 1.1
• Security Checklist: .NET Framework 2.0
• Security Checklist: ADO.NET 1.1
• Security Checklist: ADO.NET 2.0
• Security Checklist: ASP.NET 1.1
• Security Checklist: ASP.NET 2.0
• Security Checklist: Enterprise Services (.NET Framework 1.1)
• Security Checklist: Remoting (.NET Framework 1.1)
• Security Checklist: Web Services (.NET Framework 1.1)

.NET Framework Version 1.1 Code Review Guidance:

• Security Code Review for .NET Framework 1.1
• Security Code Review for ADO.NET 1.1
• Security Code Review for ASP.NET 1.1
• Security Code Review for Code Access Security (.NET Framework 1.1)
• Security Code Review for Enterprise Services (.NET Framework 1.1)
• Security Code Review for Remoting 1.1
• Security Code Review for Web Services (ASMX 1.1)

When you deploy your application during your build process or staging process, you have an opportunity to evaluate runtime characteristics of your application in the context of your infrastructure. Deployment reviews for security focus on evaluating your security design and configuration of your application, host, and network. See the following deployment review resources:

Index

• Security Deployment Review Index

How To

• How To: Perform a Security Deployment Review for ASP.NET 2.0
• Security Deployment Review for ASP.NET 1.1
• Security Deployment Review for IIS 5.0
• Security Deployment Review for Web Services (.NET Framework 1.1)
• Security Deployment Review for the Network
• Security Deployment Review for SQL Server 2000

Checklists

• Security Checklist: Network Security
• Security Checklist: IIS 5.1
• Security Checklist: SQL Server 2000

You can use Security Guidelines guidance modules to support the activities above. Security Guidelines are specific, actionable recommendations at the implementation level. Each recommendation is presented to address "what to do", "why", and "how." The recommendations are principle-based and they are organized using pattern-based categories for easy consumption.

• patterns & practices Guidelines Index

You can use Security Practices guidance modules to support the activities above. Security Practices are proven and emerging practices expressed as precisely as possible. Each practice is presented using a problem and solution format and the set of practices are organized using pattern-based categories.

.NET Framework 1.1:

• Security Practices: .NET Framework 1.1 Security Practices at a Glance [Content link no longer available, original URL:https://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMGlance.asp]

.NET Framework 2.0

• Security Practices: .NET Framework 2.0 Security Practices at a Glance
• Security Practices: ASP.NET 2.0 Security Practices at a Glance

Provide feedback by using either a Wiki or e-mail:

• Wiki. Security guidance feedback page at
  https://channel9.msdn.com/wiki/securityguidancefeedback/
• E-mail. Send e-mail to secguide@microsoft.com.

We are particularly interested in feedback regarding the following:

• Technical issues specific to recommendations
• Usefulness and usability issues

• External Contributors and Reviewers: Jason Taylor, Security Innovation
• Microsoft IT Contributors and Reviewers: Shawn Veney
• Microsoft Product Group Contributors and Reviewers: Don Willits
• Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
• Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
• Release Management: Sanjeev Garg, Microsoft Corporation