Secure Development Series: Peer Reviews

| 0 comments

Stop and consider for a moment what exactly the best way to address web application security is? If you place yourself into the mindset of a hacker you just may find that you find vulnerabilities that you may have otherwise not noticed. In this article, which is a follow-up to Secure Development Series: Input Validation, I will put forth the topic of peer reviews in hopes that you pause and consider what you can do to harden your applications? Just where do the largest number of vulnerabilities reside? While you may think the network poses the greatest risk and at first thought this may seem right it isn’t. With the explosion of the web more and more business turn to the Internet not only for consumer services but also many business processes. If you stop and really think it about it, it makes sense that applications are the single largest threat. This can be attributed to a number of reasons, but unlike networks, which are typically standardized in both hardware and configuration, applications typically do not have similar standards for the most part. Source: National Institute of Standards and Technology The cold harsh truth is that if you are to …

Continue reading

Homeland Security’s (DHS) Software Assurance Program

| 0 comments

Continuing with the theme of Software Assurance, I previously shared the January 2012 BITS Software Assurance Framework and now I located some wonderful information sponsored from the Department of Homeland Security (DHS). Security is an area that typically is lacking, underfunded, and often ignored specially in the area of web based solutions. While many organizations do better than others the reality is new vulnerabilities surface every day and it is not enough to take the mindset that your threat surface is minor in nature. To address security you must first understand the risks. The following PDF artifacts are called pocket guide series and they are loaded with great information. Software Assurance in Acquisition and Contract Language Software Supply Chain Risk Management and Due Diligence Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses Software Security Testing Requirements and Analysis for Secure Software Architecture and Design Considerations for Secure Software Secure Coding Software Assurance in Education, Training & Certification Be sure to grab and read up on all the resources you can get your hands on in terms of Software Assurance.

January 2012 BITS Software Assurance Framework

| 0 comments

If you have not yet heard of this framework, I urge you to take the time to give it a serious read. While the executive summary talks to how software is critical to the financial industry the truth is this is true for all aspects of business today. There are a number of interesting points made in this document and for those of you in the software industry it should make you pause for a moment and reflect on your own process. The points are so fundamental that I am alarmed at just how many companies turn a blind eye to the obvious risk. At this point I hope that I have your attention and this paper is a mere fifty pages and if you’re anything like me,you will find that you cannot put this paper down. The Framework addresses the following key component areas: Education & Training Security Software Assurance Development Standard Threat Modeling Coding Practices Security Testing Pre-Implementation Practices Software Assurance Documentation Archive Best Practices Post-Implementation Phase Controls Software Assurance Framework – BITS

Microsoft Enterprise Library: Caching Application Block

| 0 comments

This is a a second article on the topic of the Microsoft Enterprise Library. If you have not read the previous article titled Microsoft Enterprise Library: Data Access Application Block, I recommend you do so. Introduction to the Caching Application Block The Enterprise Library Caching Application Block lets developers incorporate a local cache in their applications. It supports both an in-memory cache and, optionally, a backing store that can either be the database store or isolated storage. The Caching Application Block can be used without modification; it provides all the functionality needed to retrieve, add, and remove cached data. Configurable expiration and scavenging policies are also part of the block. If you have been working with caching outside the Enterprise Library, I believe you will find this application block extremely powerful and easy to use. If you have not taken on the subject of caching before, I believe you also will find this easy to pick up and ultimately boost the performance of your applications. The Enterprise Library Caching Application Block includes the following features: You can use the graphical Enterprise Library configuration tools to manage configuration settings. You can configure a persistent storage location, using either isolated storage or …

Continue reading