Browse by Tags

All Tags » Practices » Security   (RSS)
Consulting And Security Reviews - How To Get Everyone Onboard
      Security reviews are a respected methodology.  People know about them, and probably use them semi-regularly. Ask anyone if security reviews are important, and they would all say yes.  Ask them if they do it regularly, Read More...
Posted 24 November 08 08:56 by alikl | 9 Comments   
Filed under , ,
patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF - BETA Is Out
patterns & practices team has just released a beta version of WCF Security Guide on Codeplex. Download the guide at http://www.codeplex.com/WCFSecurityGuide . Original announcement by J.D. Meier, the man behind the effort, is here - New Release: patterns Read More...
Posted 05 June 08 04:57 by alikl | 1 Comments   
Filed under , ,
patterns & practices WCF Security Guidance Project - live on Codeplex
patterns & practices has recently released WCF Security Guidance Project . JD , the program manager behind the effort, has been blogging about it too.It is evolving project but the initial content is fantastic already. It has Application Scenarios Read More...
Posted 02 April 08 08:53 by alikl | 1 Comments   
Filed under , , , ,
Security Code Review – Use Visual Studio Bookmarks To Capture Security Findings
How to streamline the process of capturing security flaws during security code review? How to save time and avoid switching between the tools? How to stay focused? In this post I will show my simple technique to capture security flaws using Bookmarks Read More...
Posted 24 January 08 01:38 by alikl | 3 Comments   
Filed under , , , ,
ASP.NET 2.0 Internet Security Reference Implementation - Have It Handy
JD Meier writes in his blog : The ASP.NET 2.0 Internet Security Reference Implementation is a sample application complete with code and guidance. Our purpose was to show patterns & practices security guidance in the context of an application scenario. Read More...
Posted 21 November 07 10:04 by alikl | 4 Comments   
Filed under , , , , ,
T-Shooting Kerberos
I was delivering "Authentication Explained" session for Security User Group. First off - thanks for attending the session! The session was based on "Authentication Explained" workshop . During the session I was demoing the following topics: Identity Flow Read More...
Posted 04 July 07 10:16 by alikl | 2 Comments   
Filed under , , , , ,
Security Educational Workshop - Authentication Explained
I just finished building another security workshop that covers authentication and identity technologies implemented by MS products. The workshop is targeted to developers and not IT folks. It is common practice (or should I call it anti-practice) that Read More...
Posted 31 May 07 08:08 by alikl | 5 Comments   
Filed under , ,
ARCast With Ron Jacobs - Defending the Application
Eliaz Tobias from our DPE ( Developer and Platform Evangelism ) group was hosting Ron Jacobs lately here in Israel. I was lucky to get a chance to talk to Ron about my favorite topic - Security Engineering . Ron published the interview lately on Channel Read More...
Posted 12 May 07 06:11 by alikl | 3 Comments   
Filed under ,
Recurring Security Engineering Anti-Patterns I Witness
I witness pretty often the following antipatterns for security engineering: Initial architecture document is created and it seems to have everything to address application security , but in the end none is implemented. Security engineering is abused and Read More...
Posted 10 May 07 08:39 by alikl | 1 Comments   
Filed under ,
Late Threat Modeling
I always suggest conducting Threat Modeling even in advanced dev cycle stages, although it might seem absurd – why would one model threats for something that already has been completed? I often start working with projects that have advanced into their Read More...
Posted 09 May 07 08:35 by alikl | 1 Comments   
Filed under , ,
Security Engineering Big Rocks
Lifecycle and prioritization seem like a key to successful implementation of Security Engineering. Why lifecycle? Imagine, that some application written by very seasoned developer – there is a good chance that no vulnerability was introduced in it – hypothetically. Read More...
Posted 07 May 07 08:12 by alikl | 7 Comments   
Filed under ,
Security Workshops
This post is inspired by Dave Ladd's Security Education v. Security Training My favorite quote is "We require our SDL training to emphasize the basics of secure design, development and test – then allow employees and their management to select the training Read More...
Posted 06 May 07 06:22 by alikl | 2 Comments   
Filed under ,
Threat Modeling Big Chunks
When three years ago I started to practice Threat Modeling I thought it is most boring part of security (which itself is not the most fascinating thing to most of people). I hated it since it seemed too boring - interview folks, read tones of specs, and Read More...
Posted 27 April 07 07:34 by alikl | 7 Comments   
Filed under , , ,
Security Language That Every One Understands
Although Michael Howard has some arguments about comparing software stuff with physical world I will take a chance on that one. As for me, language is designed to serve as communication channel between the parties, English for two English speakers, C# Read More...
Posted 22 March 07 06:20 by alikl | 3 Comments   
Filed under ,

Search

This Blog

. My Personal Blog .

.Net Performance How To's

.Net Security How To's

Design Patterns

Impactful

Lifecycle Phases

Popular

Tools

Syndication

Page view tracker