Five tools for helping counter security threats:

  1. Threat Modelling Tool. This is a documentation tool to help explore threat models within a product. At present it is internal only - it was used for the SQL Server security push. It will be available for external use shortly, probably on GotDotNet.
  2. Code Access Security. The .NET security model includes the ability for code to demand certain permissions and refuse other permissions, ensuring that even if it is compromised it won't be allowed to take advantage of the full system resources. Security zones restrict the default granted permissions significantly, depending on the evidence of an application (where it is loaded from, whether it is signed by a trusted publisher, etc.). ClickOnce deployment allows for extra flexibility in granting permissions in sandboxed applications: policy decisions can be deferred to the user.
  3. F5 in a Sandbox. Debugging permissions can be hard, particularly when you get an "Access Denied" message in a distributed environment. This new feature in Whidbey helps explore what permissions an application requires to run successfully. This is particularly significant, given that a Whidbey ClickOnce application is deployed via a webserver and therefore runs in a fairly restricted sandbox. In Project / Properties / Security, you can choose to debug an application in a sandbox, and can request a privilege escalation from the user to expand the sandbox.
  4. FxCop. Available on GotDotNet, this tool analyses your code for security errors or indirect logic errors that can cause errors (amongst other things), and can be extended to work with custom rules you define.
  5. SafeApps. This is an application written by @Stake which performs vulnerability scanning against program binaries.

The security symposium was great - loads of useful information and interesting anecdotes; I came away far better informed about the most pressing issues, but equally alarmed by how easily you can unwittingly leave a huge hole in an application.

By the way, am I allowed a teensy-weensy little criticism of this session?
<rant>
FOR GOODNESS SAKE - WHAT ON EARTH WERE YOU THINKING IN RUNNING STRAIGHT THROUGH FROM 8:30am to 12:30pm WITHOUT A SINGLE BREAK? SOME OF US HAVE BLADDERS, YOU KNOW! :-)
</rant>