Alik Levin's

Clarity, Technology, and Solving Problems | 

April, 2007

  • Alik Levin's

    .Net Security How To's


    patterns & practices Security How To's Index

    ASP.NET 2.0 Security Questions and Answers

    Tamper detection

    Authentication Hub



  • Alik Levin's

    My Favorite Shortcuts


    Using mouse is inefficient and slow - for detailed explanation go here

    These are my favorite (those I actually use) shortcuts.

    [Ed. - I am updating it constantly as I find more useful shortcuts I actually use] 

    • Visual Studio
      • Ctrl + Shift + B - build
      • Ctrl + Tab - switching between open files
      • Ctrl + Shift + F - find in files (actually FindStr inside Visual Studio)
      • Ctrl + KK - bookmarking
      • Ctrl + KW - show bookmarks windows
      • Ctrl + Pg UP/Pg Dn - switch between ASPX markup and design view
      • Ctrl + i - incremental search, try it - very cool. Thanks, Memi, for sharing
    • Outlook
      • Ctrl + Shift + M - new email
      • Ctrl + Shift + S - new post to folder (posts are my tool of trade to manage my pipeline - My Pipeline Is My Inbox)
      • Ctrl + 1 - emails
      • Ctrl + 2 - calendar
      • Ctrl + try other numbers...
      • Ctrl + R - reply
      • Ctrl + Shift + R - reply all
      • Ctrl + F - forward mail item
      • Ctrl + Enter - send email
    • Word
      • Ctrl + Shift + C - copy style
      • Ctrl + Shift + V - paste style
      • Ctrl + ] - enlarge font size
      • Ctrl + [ - decrease font size
      • Shift + F5 - go to last edited location
      • F4 - repeat last action, very handy when refactoring
    • Windows
      • Windows + R - bring up "Run" dialog.
      • Ctrl + Shift + Esc - bring up task manager
      • Windows + E - run explorer
    • Notepad
      • Ctrl + G - got to line number, avail also in other products
      • Ctrl + H - Find/Replace
    • Windows Explorer
      • F2 - rename file/folder
      • Shift + Delete - unrecoverable delete of item (actually this one does unrecoverable delete - SDelete)
    • Internet Explorer
      • Type domain name and then Ctrl + Enter - wraps domain with "http://www." ... ".com"
    • The all time winner
      • Ctrl + C, Ctrl + V

    [Ed. - the following added from Chris online]

    Visual Basic Shortcuts poster

    Visual C# Shortcuts poster

    Visual C++ Shortcuts poster

    What are yours?

    Share please

  • Alik Levin's

    Threat Modeling Big Chunks


    When three years ago I started to practice Threat Modeling I thought it is most boring part of security (which itself is not the most fascinating thing to most of people). I hated it since it seemed too boring - interview folks, read tones of specs, and write documents. Come on! I am .Net code guy! But fortunately to me I was motivated by good reasons to keep doing it - one cannot build good design from security perspective unless security is considered through out the design process itself. That is essentially the one and single reason to do Threat Modeling.

    Now what approach to take? How actually to conduct Threat Modeling? Here came the confusion...

    These are some really good sources of knowledge I tried to adopt:

    Seems like we are really crazy about the topic, lets do some search, hmm indeed we really like it:

    So which one is the best?

    Depends on who you are. Are you developer, architect, IT guy, security auditor, security consultant, doing line of business app, ISV guy, what is your budget, what is your dev culture? There are lot more attributes.

    So while I cannot map each each and every attribute to the above Threat Modeling techniques (which have a lots in common anyway), I found the big chunks of the process while conducting Threat Modeling that work for me and my customers. It is also very aligned to Security Language That Every One Understands

    Here are my big chunks:

    • Understand the business. Find some role that understands the business and can explain the biz processes and the valuable stuff from biz perspective. Usually it is mid range managers with the customer. This big chunk helps generating Threats and Objectives (which I use in the last big chunk).
    • Understand application architecture and design. It is totally technical information. Find app architect and dev lead to understand how the dev solution supports/implements the biz processes explained in first big chunk. The outcome of this big chunk is static view of the solution, data flows, and major usage scenarios (not use cases!).
    • Go home and analyze. Try to find gaps between the two big chunks above, i.e. how biz valuable stuff gets unwanted impact by technical implementation of the solution. This big chunk generates Vulnerabilities that the solution must [based on severity] fix.
    • Go back to customer and show the analysis. This step must get senior management involved. I usually do not talk security stuff during this big chunk rather present to senior management threats [generated during first big chunk] that are not countered or poorly countered by the solution [vulnerabilities identified during second big chunk]. If I succeed to present it right then senior management directs development team to fix most severe threats. How? According to the fix I provide along with the vulnerability found.

    It is not my invention rather what I absorbed from the resources above and adjusted to my needs.

    Today I just love Threat Modeling and the above approach works for me - I am still got paid for this :)



Page 1 of 9 (25 items) 12345»