RE: Grass roots secure coding efforts

["Hans Westphal" <hansw () microsoft com>]

Other suggestions:
Subscribe to Security lists:
[EMAIL PROTECTED], [EMAIL PROTECTED]

Self Education through books 

Secure Coding: Principles and Practices
http://www.amazon.com/exec/obidos/tg/detail/-/0596002424/103-7129116-7330242?v=glance


Writing Secure Code 2nd edition 
http://www.amazon.com/exec/obidos/tg/detail/-/0735617228/103-7129116-7330242?v=glance

and Webcast's

MSDN Webcast: Secure Mobile Data Using the Microsoft .NET Compact
Framework and SQL CE 2.0 - Level 300
Wednesday, September 01, 2004 - 11:00 AM-12:30 PM Pacific Time
Rob Tiffany, President, Hood Canal Mobility
Would you like to be certain that data on a mobile device is secure?
Without needing any knowledge of cryptography, you can build an
application that lets users check-in and check-out their sensitive
files.  This webcast focuses on building an encrypted,
password-protected storage vault for files residing on Pocket PCs.
http://www.placeware.com/cc/mseventsbmo/join?id=1032257382&role=attend&pw=webcast

MSDN Webcast: Essentials of Application Security (Part 1) - Secure
Communications - Level: 200
Friday, September 3, 2004 - 9:00 AM-10:00 AM Pacific Time
Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation
This webcast is the first of a 3-part series about the importance of
Application Security and its best practices and guidelines. This part
specifically addresses Secure Communications in the context of secure
application development. After an overview of the costs of inadequate
security and the benefits of developing secure applications, this
presentation concentrates on secure communications as part of a larger
security solution, examining specific techniques such as using
certificates in the Secure Sockets Layer (SSL). The webcast includes two
demonstrations: Buffer Overruns and SSL Server Certificates.
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032257602&Culture=en-US


MSDN Webcast: Essentials of Application Security (Part 2) -
Authentication - Level: 300
Tuesday, September 7, 2004 - 9:00 AM-10:00 AM Pacific Time
Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation
This webcast is the second of a 3-part series about the importance of
Application Security and its best practices and guidelines. This part
specifically addresses Authentication in the context of secure
application development. After an overview of the costs of inadequate
security and the benefits of developing secure applications, we
concentrate on Authentication as part of a larger security solution,
examining specific Authentication techniques and best practices in IIS.
The webcast includes two demonstrations: Buffer Overruns and IIS
Authentication Techniques.
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032257885&Culture=en-US


MSDN Webcast: "Ask The Developer Security Experts" Series: Windows XP
Service Pack 2: A Developer Overview - Level: 200
Tuesday, September 7, 2004 - 11:00 AM-12:00 PM Pacific Time
Tony Goodhew, Product Manager, Microsoft
This webcast series brings together some of the sharpest
security-focused Microsoft developers to provide expert answers to your
security questions. Beginning with a brief overview of Windows(r) XP
Service Pack 2 (SP2), we will focus the discussion on what these changes
mean for you as a developer and how these changes will affect your
various development tools. This presentation will be followed by an
extensive Q&A period where you can "Ask the Experts" your in-depth
questions about Windows XP SP2.  Do you have a question you want to
submit to the experts before the webcast? Send your security questions
about Windows XP SP2 to our panel of experts ahead of time at
[EMAIL PROTECTED]
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032257887&Culture=en-US


MSDN Webcast: A Hackers View of Your Web Applications Part 1: Procedures
for Code Security - Level: 300
Tuesday, September 7, 2004 - 1:00 PM-2:00 PM Pacific Time
Dennis Hurst, Senior Consulting Engineer, SPI Dynamics
With the threat of cyber attacks, today's Web environment has made
application security an essential element in the application development
lifecycle. The first part of this two part series will define what Web
application security is, why it is needed, and how it differs from other
categories of Internet security. Additionally, we will examine
appropriate procedures and technologies essential to the security of Web
application code. Through a review of recent Web application breaches,
we will expose the prolific methods hackers use to execute break-ins via
the Web. By taking an in-depth look at how Web-based applications work
and the techniques hackers use to exploit them, you will be better
equipped to protect your confidential information.
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032257889&Culture=en-US


MSDN Webcast: Essentials of Application Security (Part 3) -
Authorization - Level: 300
Friday, September 10, 2004 - 9:00 AM-10:00 AM Pacific Time
Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation
This webcast is the third of a 3-part series about the importance of
Application Security and its best practices and guidelines. This part
specifically addresses Authorization in the context of secure
application development. After an overview of the costs of inadequate
security and the benefits of developing secure applications, we
concentrate on Authorization as part of a larger security solution,
examining Trusted Subsystem Model Authorization techniques and best
practices. The webcast includes two demonstrations: Buffer Overruns and
Trusted Subsystem Model Authorization Techniques.
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032257892&Culture=en-US


MSDN Webcast: A Hackers View of Your Web Applications Part 2: Web
Hacking - Attack Scenarios and Examples - Level: 300
Monday, September 13, 2004 - 1:00 PM-2:00 PM Pacific Time
Dennis Hurst, Senior Consulting Engineer, SPI Dynamics
By taking advantage of the public access to a company and using it to
subvert your applications, hackers can gain easy access into your
company's sensitive backend data. Firewalls and IDS will not stop such
attacks because hackers using the Web application layer are not seen as
intruders. In the 2nd part of this two-part series, learn how to defend
against attacks at the Web application layer with examples covering
recent hacking methods such as: SQL Injection, Cross Site Scripting,
Parameter Manipulation, Session Hijacking, and LDAP Injection.
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032257907&Culture=en-US


MSDN Webcast: Overview of XP SP2 for Developers - Level: 200
Tuesday, September 14, 2004 - 9:00 AM-10:30 AM Pacific Time
Tony Goodhew, Product Manager, Microsoft
Review the changes that Windows XP Service Pack 2 delivers and what they
mean for you. Windows XP SP2 is designed to deliver a number of safety
technologies in the Internet Connection Firewall, Web Browsing
experience, Email /IM and Application Memory Protection. Each of these
areas has direct impact on developers and this session covers the major
items and what you need to know. Learn how these changes will affect
your various development tools.
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032257920&Culture=en-US


MSDN Webcast: Implementing Application Security Using the .NET Framework
Part 1 - Level: 300
Wednesday, September 14, 2004 - 9:00 AM-10:00 AM Pacific Time
Rob Jackson, Developer Community Champion, Microsoft Corporation
This is part 1 of a 3-part series for experienced developers.  In this
series, you will learn how to implement additional security features to
secure applications that are built on the .NET Framework. You will learn
how security features are integrated into the .NET Framework. You will
learn how to use both code access security and role-based security to
limit vulnerabilities. You will also learn how to use the cryptographic
provider support in the .NET Framework to encrypt and sign data.
Additionally, you will learn how to secure Web applications and Web
services that are built by using ASP.NET. Finally, you will learn a few
tips for writing secure code with the .NET Framework.  Parts 2 and 3 of
the series will be presented on 9/21 and 9/28, respectively.
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032257965&Culture=en-US


MSDN Webcast: Writing Secure Code - Threat Defense Part 1 - Level: 200
Friday, September 17, 2004 - 9:00 AM-10:00 AM Pacific Time
David Deatherage, , 
This is part 1 of a 3-part series for experienced developers.  In this
series, you will learn established best practices for applying security
principles throughout the development process. You will learn effective
strategies for defending common security threats such as buffer
overruns, cross-site scripting, SQL injection, and denial of service
attacks.  Parts 2 and 3 of the series will be presented on 9/24 and
10/1, respectively.
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258007&Culture=en-US


MSDN Webcast: Implementing Application Security Using the .NET Framework
Part 2 - Level: 300
Tuesday, September 21, 2004 - 9:00 AM-10:00 AM Pacific Time
Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation
This is part 2 of a 3-part series for experienced developers.  In this
series, you will learn how to implement additional security features to
secure applications that are built on the .NET Framework. You will learn
how security features are integrated into the .NET Framework. You will
learn how to use both code access security and role-based security to
limit vulnerabilities. You will also learn how to use the cryptographic
provider support in the .NET Framework to encrypt and sign data.
Additionally, you will learn how to secure Web applications and Web
services that are built by using ASP.NET. Finally, you will learn a few
tips for writing secure code with the .NET Framework.  Part 3 of the
series will be presented on 9/28.
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258017&Culture=en-US


MSDN Webcast: "Ask The Developer Security Experts" Series: Using WSE to
Secure your Web Services with WS-Security - Level: 200
Thursday, September 23, 2004 - 11:00 AM-12:00 PM Pacific Time
Maarten Van De Bospoort, Consultant, Microsoft Corporation
This webcast series brings together some of the sharpest
security-focused Microsoft developers to provide expert answers to your
questions about securing your Web services. We will begin this webcast
with a brief discussion of the advantages of using WS-Security over
traditional wire level security on the protocol level, including an
explanation of how WS-Security is built upon XML security and how the
new Web Services Enhancements (WSE) make this easy to implement. After
this overview, this session will continue with an extensive Q&A period
where you can "Ask the Experts" your in-depth questions about securing
your web services with WS-Security and WSE.  Do you have a question you
want to submit to the experts before the webcast? Send your questions
about securing Web services to our panel of experts ahead of time to
[EMAIL PROTECTED]
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258027&Culture=en-US


MSDN Webcast: Writing Secure Code - Threat Defense Part 2 - Level: 200
Friday, September 24, 2004 - 9:00 AM-10:00 AM Pacific Time
Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation
This is part 2 of a 3-part series for experienced developers.  In this
series, you will learn established best practices for applying security
principles throughout the development process. You will learn effective
strategies for defending common security threats such as buffer
overruns, cross-site scripting, SQL injection, and denial of service
attacks.  Part 3 of the series will be presented on 10/1.
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258029&Culture=en-US


MSDN Webcast: Implementing Application Security Using the .NET Framework
Part 3 - Level: 300
Tuesday, September 28, 2004 - 9:00 AM-10:00 AM Pacific Time
Rob Jackson, Microsoft Corporation
This is part 3 of a 3-part series for experienced developers.  In this
series, you will learn how to implement additional security features to
secure applications that are built on the .NET Framework. You will learn
how security features are integrated into the .NET Framework. You will
learn how to use both code access security and role-based security to
limit vulnerabilities. You will also learn how to use the cryptographic
provider support in the .NET Framework to encrypt and sign data.
Additionally, you will learn how to secure Web applications and Web
services that are built by using ASP.NET. Finally, you will learn a few
tips for writing secure code with the .NET Framework.
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258031&Culture=en-US

MSDN Webcast: Windows XP Server Pack 2 Change Walkthrough - Level: 300
Tuesday, September 28, 2004 - 11:00 AM-12:30 PM Pacific Time
Tony Goodhew, Product Manager, Microsoft
This session is a detailed walkthrough of the changes to Windows XP with
Service Pack 2. It will cover the 4 major areas of change - Networking,
Web Browsing, Email/IM and Hardware. In each of these sections the
change and its implication will be discussed.
http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258033&Culture=en-US

HTH,
Hans



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Kenneth R. van Wyk
Sent: Monday, August 23, 2004 8:31 AM
To: [EMAIL PROTECTED]
Subject: [SC-L] Grass roots secure coding efforts

Greetings all,

One of the things that I hear most from software developers when I
deliver 
secure coding tutorials and such is that they're likely to be unable to
do 
things like detailed threat modeling, risk analyses, etc.  The reason
most 
often cited is that they're under tight deadlines and there's not enough
time 
in the schedule for such activities.  

Of course, to really expect any sort of culture shift, there would need
to be 
top-level support for adopting secure coding practices.  That said, I
often 
spend some time brainstorming lists of things that the students can
consider 
trying by themselves as soon as they are back in their offices.  I'm
talking 
about "grass roots" sorts of activities that won't break the bank (or 
schedule) here.

Some of the things that the students have suggested include the
following:

- Informal peer review of code modules
- Incorporation of (usually free) static code review tools in the code
reviews
- Setting up an information sharing site/portal/drive internally for 
developers to load useful links, tools, experiences, etc.
- and so on

Most often, the students agree that these sorts of things are the types
of 
simple first steps that they could reasonably expect to take.  Anyone
here 
have other suggestions on other first steps that developers might
consider, 
even in the absence of top-level embracing of a more secure development 
methodology?

(No, I'm not suggesting that a simple list like this be any sort of
substitute 
for a more in-depth program, but it's a starting point for developers to

experiment with in trying to improve the security of their software dev 
practices.)

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com