Alik Levin's : Inception Phase

ASP.NET 2.0 Internet Security Reference Implementation - Have It Handy

alikl — Wed, 21 Nov 2007 13:04:58 GMT

The ASP.NET 2.0 Internet Security Reference Implementation is a sample application complete with code and guidance. Our purpose was to show patterns & practices security guidance in the context of an application scenario. We used Pet Shop 4 as the baseline application and tailored it for an internet facing scenario. The application uses forms authentication with users and roles stored in SQL.

It is master piece, nothing less. Simple to get a grip, practical, and focused.

Now that GotDotNet is down I thought it would be useful to have it handy somewhere else that is on.

Download ASP.NET 2.0 Internet Security Reference Implementation Document here

Download ASP.NET 2.0 Internet Security Reference Implementation Code here

Enjoy

Security Educational Workshop - Authentication Explained

alikl — Thu, 31 May 2007 22:08:17 GMT

I just finished building another security workshop that covers authentication and identity technologies implemented by MS products. The workshop is targeted to developers and not IT folks. It is common practice (or should I call it anti-practice) that development projects re-invent the wheel and build again and again custom authentication or identity flow mechanisms which are surest recipe for disaster from security perspective. There is plenty of reasons why and one of them is that development teams do not have solid understanding of what MS technologies offer out-of-the-box with regards to authentication.

I have divided the workshop into four major parts:

Authentication premier. It covers general concepts of network authentication. It covers common threats (the only reason of security existence, no threat – drop security) and countermeasures (best practices). I call it authentication dissected. Here are some of help materials I used:

How To: Create a Threat Model for a Web Application at Design Time

Implementations. This part goes over different types of authentication from NTML, Kerb, Certs, Protocol transition to CardSpace and even assemblies Evidence which is the special sort of authentication between components. It discusses the implementation for each mechanism, cons and pros. Here are some materials I used:

Scenarios. This part talks about how to use the implementation for common scenarios like ASP.NET to SQL Server in intranet or ASP.NET to Web Services in Internet scenario. Here are some materials I used:

Whiteboard Solutions

Anti-Patterns (Hacking Exposed). This part tries to draw the punch line for the three above and demonstrates how authentication anti-patterns can be subverted by an attacker and what impact it can cause.

There is enough of such stuff on the net - just submit some search criteria and you got plenty :)

I call it educational workshop influenced by what I was discussing in Security Workshops. This workshop explains what MS offers and when to use. It does not train the participants how to use it in depth assuming after completing the workshop participants will be able to deepen their knowledge after picking proper technology.

Calculate Security Breach Cost Yourself

alikl — Fri, 20 Apr 2007 00:35:00 GMT

That is both amazing and amusing (I will leave "why" to myself....) but now CxO does not have to think twice whether security services are too expensive. Check out this Security Breach Cost Calculator.

via http://news.com.com/2061-10789_3-6176074.html?part=rss&tag=2063-10789_3-0&subj=news

For example, if MS corp network gets penetrated, having at hand it has 71,172 employees the resulting cost would be about $10M. And that is just in short run, the losses caused by damaged reputation would be much higher. Fortunately, leading analysts and professionals think we are doing good in that space (touch wood and hooray to SDL!!):

"...we actually consider Microsoft to be leading the software [industry] now in improvements in their security development life cycle and in how they handle vulnerabilities and release patches..
John Pescatore, vice president at Gartner", read full story here

"What the smart banks are doing about this is they’re building security into their development lifecycles, and that’s exactly what Microsoft has done," he [Mark Curphey] said.

Mark Curphey, vice president of professional services at McAfee’s Foundstone division, read full story here. Mark is founder of OWASP.org

Or graphically:

Direct link is here http://www.tech-404.com/calculator.html

Have fun calculating your losses. Or just start proactively implementing Security Engineering.

Need help? - try this Security Developer Center: Security Development Lifecycle for IT

Enjoy

Security Development Session In The UK

alikl — Wed, 18 Apr 2007 20:47:00 GMT

Imagine if security was cool like Silverlight....

But security is not that cool, so the biggest challenge I faced was presenting security topics in a way that people enjoy it. Here are some techniques I used while I was delivering number of security sessions in MS Services UK.

I talked about security coding practices. The audience was few technical guys, consultants. So they know pretty much about security - I hardly could tell them something new. So my technique was presenting some effectiveness and efficiency tricks to find flaws and also (most important) give best practices to counter those flaws - either anticipating it through better design or by effective assessments of code. Here are some of techniques:

I also used some hacking exposed to add some salt and pepper - it usually entertain people, these can be good examples:

I talked to very broad audience during general session about what Security Engineering is al about and "what-is-in-it-for-me" for MS as a whole and for Services organization specifically. Here I showed commonly broad non-security tools to do security stuff. For example, I showed Security .Net Code Inspection Using Outlook 2007. It surprised people that their day-to-day tool of trade actually can do security stuff. I used a lot's of quotes from third parties like I Thought Security And ROI Are Nonsense When Used Together - it sounds more authentic.
Then I talked about lifecycle integration for security engineering. There is a lots of confusion mostly because of information avalanche and multiple interpretations, so I walked the audience phase by phase explaining proper technique to each phase, possible outcomes, lessons learned from actual engagements and some funny stories from trenches - it is important to have fun, since security is most boring thing in the world.

That was fun, for me at least. I got some nice feedback like "You presented dry topic [security] in very funny way - I enjoyed it very much and it was very informative", "I always thought security is a boring thing - your presentation was very entertaining and with clear messages".

It was actually my first time in the UK and I learned a lot about famous English sense of humor - it was everywhere. I learned that UK is very expensive.

Thank you Graham and James for the opportunity! Looking forward to work with you soon.