Clarity, Technology, and Solving Problems | PracticeThis.com
WP7 App with Key Windows Azure resources – Slides, Videos, How-To’s, and T-shooting – for quick consumption on the go.
Lifecycle and prioritization seem like a key to successful implementation of Security Engineering.
Imagine, that some application written by very seasoned developer – there is a good chance that no vulnerability was introduced in it – hypothetically. Now imagine that the same app’s architecture assumes that authentication is done on client part and the server accepts messages blindly – it is very common architecture security flaw (vulnerability).
Now imagine for a moment that everything is peachy – architecture, design, and the code are bullet proof – but the deployment not that secure. For example, web.config includes sensitive information, the application runs under System account, no URL authorization defined, validateRequest=”false”. Although validateRequest is pretty easy to bypass, here is better approach for input validation and another one, and some more:
That means each development cycle phase must pay attention to proper security activities.
What are you after? What are you short on? What you are optimizing? I presume each and every software shop has its own priorities – budget, features, time to market, skills, requirements, etc.
While one approach of security activities during development cycle may differ from another I found the following are essential:
JD talked about High ROI Security Activities some time ago – worth reading.
There is no need to jump on Security Engineering wagon at once (here are some more Security Approaches That Don't Work). Start small according to your priorities and find what works best and then add activities incrementally.
Need help? Try Security Developer Center: Security Development Lifecycle for IT
I always suggest conducting Threat Modeling even in advanced dev cycle stages, although it might seem
I witness pretty often the following antipatterns for security engineering: Initial architecture document
Eliaz Tobias from our DPE ( Developer and Platform Evangelism ) group was hosting Ron Jacobs lately here
I am not marketing guy, nor strategic one – I really do not know why I started to read this post - Why
Think configuring SSL for your web site is enough to protect against prying eyes? Here is how the sensitive
patterns & practices team maintains Design for Operations [DFO] project on codeplex . The goal of
You probably heard about SDL few times. This is the process that MS apply when developing its products