Security for Canadian Developers : Annoucements

Developer Windows Vista Security Webcast in May

jldavid — Mon, 16 Apr 2007 19:19:00 GMT

As you can tell, there is a lot of activity going on with regards to Windows Vista. On May 23rd, we will be running a webcast entitled "Writing Secure Applications for Windows Vista". Here is an abstract of the presentation:

Have you tested your application on Windows Vista? If not, it’s important that you do as it will impact the experience your users will have with the software you have developed. This is especially the case if your application writes to the registry or requires elevated privileges.

The primary objective of this session is to provide developers with the necessary knowledge to successfully write secure application on Windows Vista and get familiarized with Vista’s new security model and features such as Least-privileged User Accounts (LUA), virtualization, and the User Account Control (UAC). This session will be of interest to all
Windows developers.

Value proposition:
Windows Vista incorporates many new and innovative security features. This session will provide the attendees with the following information:

How Vista’s security enhancements may affect their application development environment
How to successfully write Windows Vista applications leveraging features such as UAC
The use of tools such as FxCop and PreFAST to identify compatible issues in existing applications or in the development process.

Call to Action:

Start developing secure applications on Windows Vista
Use tools like FxCop to find compatible issues with existing applications or new applications in development
Take advantage of the new security tidbits added to Windows Vista

To sign up for the event, click on this link: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032336165&EventCategory=4&culture=en-CA&CountryCode=CA

IT Professional Security Webcasts

jldavid — Mon, 16 Apr 2007 17:17:00 GMT

Rodney Buike, my counterpart on the IT Pro team has set up a security webcast series which may be interesting to you. Here is a description of the series and the events:

With every new OS release security is improved and refined and with Windows Vista this is still the case. There are a number of new and improved security tools and features built into Windows Vista, and a number of new tools and resources to integrate Vista into your existing environment. Learning what these features are, how to plan for them, deploy them and manage them along with what resources are available to help is crucial to a successful deployment.

What’s New in Vista Security - April 25th 2007
With all the new eye candy in Vista, the security features often get overlooked. The first session will look at the new features, what they are, where they would be used and most importantly why you should consider implementing them. At the end of this session you should have a good understanding of some kernel level changes and features such as User Access Control, upgrades to the Windows Vista Firewall and Security Center, BitLocker and IE7 and be ready to start implementing a secure Vista deployment.
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032336945&Culture=en-CA

Manage Vista Security With Group Policy - May 9th 2007
Managing Vista via Group Policy has been improved. With over 2400 GPO settings you have more control than ever before and tools like the GPO Accelerator can help speed the implementation of GPOs over your Vista computers and ease management of BitLocker on mobile PCs. This session will start by giving you a refresh of GPO and OU structures and get you up to speed on the new GPO settings, the GPO Accelerator and other resources and how they can be used to lockdown and secure your environment.
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032336947&Culture=en-CA

Manage Advanced Security Features - May 23rd 2007
On top of the new GPO settings there are some new, more advanced, security features in Vista. BitLocker is one of the popular features and we will take a deep dive into BitLocker covering TPM, key backup, management via group policy and configuration will be covered in this session. We will also take a look at improvements to the Encrypted File System (EFS) and Rights Management Services (RMS).
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032336949&Culture=en-CA

We hope you can attend...cheers!

MSDN Canada: Security Virtual Conference Recording

dansellers — Sat, 30 Sep 2006 08:12:00 GMT

As promised, here is the recording of MSDN Canada Writing Secure Code Fundamentals Virtual Conference.

Enjoy the recording and I hope to see you at our next online Security sessions on October 18th, 2006. This will be the first of eight, one hour monthly security sessions. I am excited about the next session as it will provide you the knowledge and a demonstration of various tools that one can use to do preliminary testing to verify if an application written by an outside firm is in fact secure.

When you ask someone if their application is secure, the answer is always yes. Seriously, do you really think any one will say no? Of course not as they just lost that sale and most likely future revenue. So what is the incentive to say either "no" or "I do not know"? Therefore, how do you really know if any application is secure if you are not going to do some preliminary security testing.

Don't get trapped into what you want to hear whether it is true or not. This just leads to a false sense of security and you might as well continue sticking your head in the sand.

Below is the thought process that occurs when you ask someone if their application is secure:

public static void main()

{

Console.WriteLine("Is App Secure: 1=Yes 2=No 3=Not Sure");
Console.Write("Please enter your selection: ");

string s = Console.ReadLine();
int n = int.Parse(s);
int revenue= 0;

switch(n)
{

case 1:
revenue+= 25,000;
break;

case 2:
revenue+= 0; //oh wait no revenue...just kidding...
goto case 1; //therefore say yes

case 3:
revenue+= 0; //oh wait no revenue...just kidding...
goto case 1; //therefore say yes

default:
revenue+=0; //go for the revenue
goto case 1; //this is the answer everyone wants to hear break;

}

if (revenue!= 0)
Console.WriteLine("Thank you for your business and of course the {0} dollars. Oh and you can Trust Me too!!",revenue);

}

}

You can register for the October 18th on-line event here.

Half Day Virtual Security Conference--September 27th, 2006

dansellers — Wed, 06 Sep 2006 00:31:58 GMT

To continue upon the success of last year MSDN Canada Security Webcasts we have raised the level up a notch or two this year. This year will consist of two Virtual Conferences and eight Security Webcasts titled "Security Chalk Talk" occurring monthly from October 2006 to June 2007. Furthermore, I will be producing six podcasts titled "Talkin' Security" in which we will be hearing from Security experts in Canada on a multitude of topics.

http://msdn.Microsoft.com/Canada/securitylockdown/ and for the French version: http://msdn.microsoft.com/canada/fr/securitylockdown/

The first half day Virtual Security Conference on "Writing Secure Code Fundamentals" is already upon us. The registration just went live today. For this Virtual conference I will be joined by two members of Microsoft ACE (Security) team from Redmond. Both the speakers bios and sessions can be viewed.

This half-day virtual conference will focus on the well-known Application hacking exploits and some of the newer ones with technologies such as AJAX becoming more popular. And of course a detailed look at the necessary countermeasures will be explored. Finally, we will wrap up the conference by talking about threat modeling and the new threat modeling tool Microsoft has released.

Hope to see you out at this first ever MSDN Canada Virtual Security Conference.

New Security Blog for Canadian Developers

dansellers — Thu, 24 Aug 2006 07:03:00 GMT

Welcome to this new blog dedicated 100% to Security for Canadian Developers. This blog will feature posts on a wide variety of helpful information that Developers should know to help make your applications more secure.

Helping me this year will be a team of Security Matter Experts consisting of Architects and Developers that work in Canadian software industry. Currently, I also have my original blog which contains a lot of helpful information on security as well as other topics. After listening to your feedback I felt it was necessary to create this new blog to make it easier to find security related information from myself and my team of Security experts.

In fact my next post will be on IIS 6.0 and ASP.Net 2.0. The reason I picked this for my first topic, is because I am surprised by the number of people that believe by running the IIS 6.0 in an application pool with a low privilege account will prevent hacks against Web Applications. I wish security was that easy and this was the silver bullet everyone is searching for to prevent Web attacks. Now obviously, you want to use a low privilege account, but we need to do a lot more in terms of how we do input validation and what credentials are being passed between IIS 6.0 and our ASP.Net 2.0 applications. Stay tune to my next blog on this topic in a lot more detail.