I've been working hard to get more security related work back into my schedule.

And so..... I'm starting a new "season" of the Digital Blackbelt webcast series.

If we get enough interest I'll do some give-a-ways and such !

SIGN UP NOW !!!! Here are the first 3 dates !

11/3/2008; 11:00 AM (PST)
Convincing Management: The Business Case for Adding Security to the Development Life Cycle
[ Click HERE to Register ]

11/10/2008; 11:00 AM (PST)
Security Development Lifecycle: Building an Intentionally Secure Development Process
[ Click HERE to Register ]

11/24/2008; 11:00 AM (PST)
Threat Modeling for Software Developers
[ Click HERE to Register ]

This book is OFF THE HOOK !

Wanna REALLY dissect a running application ?

IDA Pro is THE tool of choice for disassembly and the crackers choice because of it's raw power.

Whether you need to solve a tough runtime defect or examine your application security from teh inside out IDA Pro is a great tool and this book is THE guide for coming up to speed.

From the book description ....

I haven't tried it yet, but what a great idea !!

http://pcdecrapifier.com/

Application Development Trends reports on Google Chrome Security Issues

Read the complete story here - http://adtmag.com/article.aspx?id=23205

The Deep Fried Bytes guys caught  up with me at DevLink and we had a talk about developer security needs, mistakes, activities, etc !

Listen Here http://deepfriedbytes.com/

ZDNEt Reports .....

The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed, US-CERT said in a note on its current activity site.

From the advisory:

• Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

[ Read the article on ZDNet ]

More than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat’s OpenSSH packages.

The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned “an issue in the infrastructure systems” and calls into question Red Hat’s ability to promptly — and accurately — disclose security breaches.

[ Read the full article HERE at ZDNet ]

Data Structures and Algorithms: Annotated Reference with Examples

This book written by Granville Barnett and Luca Del Tongo is part of an effort to provide all developers with a core understanding of algorithms that operate on various common, and uncommon data structures.

Data Structures and Algorithms: Annotated Reference with Examples is completely free!

[ CILICK HERE ]

#8 | Changing Membership Settings in the Default Membership Schema

#9 | Configuring SQL To Work with Membership Schemas

#10 | Understanding ASP.NET Memberships

[ Get them here ]

Lots, even MOST PHP applications are Open Souce but what if you want to distribute your application but don't want to distribute your PHP Source Code ?

Check out Nu-Coder from NuSphere.

Nu-Coder converts the source code of PHP Script into compiled PHP bytecodes for both accelerated runtime performance and maximum security.

http://www.nusphere.com/products/nucoder.htm

Dolores Labs posted recently "Amazon’s S3 Web Service, our #1 cause of failure" [ Click HERE to READ ]

Amazon.com is a great company and a early innovator in the Web Services Community. (God knows I send them ALOT of money.)

So this is not an indictment of Amazon as a technology provider. In fact, it is because a Amazon is a great company with a solid infrastructure that this is significant.

As Geeks, we tend to get all jazzed about the latest buzz - and cloud computing is certainly one of them. But, I think it's important to remember, while services in the cloud can be very cost effective. You can't control the cloud.

When you build it and own it you always have options when you're not getting the service level you need. In the cloud, you're held hostage by 3rd party service levels.... ad as we all know, stuff happens.

When you're using a cloud hosted service, remember to build support for graceful degradation your application. You application need not fail completely because you can't fetch images, ads, etc.

Not only is this good design practice, but it mitigates a DOS security threat. If I wanna bring your web application down and you haven't built resilience into your site, all I need to to is successfully attack any one service your application depends on and your application is down !!

Dies UAC give you a rash ?

It does me !!!

It's not that it isn't a good idea - it is. But I really wish I could train it or over ride it.

Maybe in a future Windows version - in the mean time, I'm trying Tweak UAC which provides a "Quiet Mode" for UAC.

[ Click HERE to get Tweak UAC ]

Note: UAC is a Security feature. Strictly speaking "Quiet Mode"  reduces your system's security.

Please checkout the first videos in my new Web Developer's Security Video Series.

http://www.asp.net/learn/security-videos/

I'm hoping to do 100 Videos this year !

PLEASE SEND YOUR REQUESTS !!!

T

Check out this 2 day security brain fest. It happens to be right after Black Hat in Vegas. See you there ?

The LifeCycleSecurity conference was started to provide a venue where professionals in the Application Security industry can learn from each other's experiences.  We will be addressing security from the server to the browser. 

Application Security : We will have topics that address how professionals are creating systems that are resistant to attacks against the web application layer and the systems that support these web applications.

Browser security: With the increase in attacks against browsers such as malware and other attack vectors, protecting your users is more important than ever.  This is increasingly being done with content filtering devices.  The Lifecyclesecurity conference will include several tracks that address techniques that are being used to protect against these browser / content based attacks.

http://www.lifecyclesecurity.com/

While at TechEd 2008 I got to spend some time in the "Fish Bowl" with Georgeo Pulikkathara.

Georgeo interviewed me on Microsoft's Secure Development Lifecycle (SDL) and my upcoming Developer Security Activities.

Please [ click HERE ] to check out Georgeo's blog post and [ Click HERE ] to have a listen to the show.

June 20, 2008 (IDG News Service) Microsoft's June security updates were bad news for online criminals who make their living stealing password information from online gamers.

The company's Malicious Software Removal Tool -- a program that detects and removes viruses and other undesirable programs from Windows machines -- zapped game password-stealing software from more than 2 million PCs in the first week after it was updated to detect these programs on June 10.

One password stealer, called Taterf, was detected on 700,000 computers in the first day after the update. That's twice as many infections as were spotted during the entire month after Microsoft began detecting the notorious Storm Worm malware last September.

[ Read he entire article here at Computer World ]

Baseline Magazine [ Click HERE ] has outlined the 5 Big Security Threats that Anti-virus software and firewalls MISS.

1 Trusted Users and Partners

2 Web Application Vulnerabilities

Gartner estimates that 75 percent of today’s attacks are carried out through the application layer.

Many of these application attacks are conducted through quickly coded Web applications, with little or no security baked in.

Yet these Web apps are often connected to some of the most sensitive databases businesses own.

3 Missing Devices

4 Custom Malware

5 Social Engineering

[ CLICK HERE to read the whole article. ]

Those smart guys in Microsoft Patterns and Practices have released the BETA version of their WCF Security guide.  The guide, Improving Web Services Security: Scenarios and Implementation Guidance for WCF, is our Microsoft playbook for Windows Communication Foundation (WCF /"Indigo".)  It shows you how to build secure services using WCF.  It's a compendium of proven practices, product team recommendations, and insights from the field.  It includes end-to-end application scenarios (Web applications / Smart Clients), as well as step-by-step How Tos.  Most importantly it frames out the Web services security space and shows you how to be effective with WCF.

patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF

(Forewords by Nicholas Allen and Rockford Lhotka.)

Download the Guide

· Guide Download: http://www.codeplex.com/WCFSecurityGuide

Contents at a Glance

· Part I - Security Fundamentals for Web Services gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA.)

· Part II - WCF Security Fundamentals gives you a firm foundation in key WCF security concepts, with special attention on authentication, authorization, and secure communication, as well as WCF binding configurations.

· Part III - Intranet Application Scenarios shows you a set of end-to-end Intranet application scenarios that you can use to jumpstart your application architecture designs with a focus on authentication, authorization, and communication from a WCF perspective for your intranet.

· Part IV - Internet Application Scenarios shows a set of end-to-end Internet application scenarios that you can use to jumpstart your application architecture design for the Internet.

Chapters

· Ch 01 - Security Fundamentals for Web Services

· Ch 02 - Threats and Countermeasures for Web Services

· Ch 03 - Security Design Guidelines for Web Services

· Ch 04 - WCF Security Fundamentals

· Ch 05 - Authentication, Authorization and Identities in WCF

· Ch 06 - Impersonation and Delegation in WCF

· Ch 07 - Message and Transport Security in WCF

· Ch 08 - WCF Bindings Fundamentals

· Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)

· Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)

· Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)

· Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)

· Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)

· Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)

· Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Reference

· WCF Security Checklist

· WCF Security Guidelines

· WCF Security Practices at a Glance

· WCF Questions and Answers (Q&A)

· How Tos

· WCF Security Resources

External Contributors/Reviewers

· Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam

Microsoft Contributors / Reviewers

· Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

More Information

· Guide site: http://www.codeplex.com/WCFSecurityGuide

· Project Site (Online KB): http://www.codeplex.com/WCFSecurity

· Project updates at J.D. Meier’s blog: http://blogs.msdn.com/jmeier

With more than 100 million Web applications deployed in the world, perhaps fewer than 5 percent of are being tested for security vulnerabilities. We offer three simple steps to help you secure your Web applications

Read Here - Enterprise Systems | Three Steps to Web Application Safety

The PHP 5.2.6 release (download here) corrects at least four documented security flaws of varying severity

In a June 2007 report, the U.S Government Accountability Office (GAO) described cybercrime as “having significant economic impacts and a threat to U.S. national security interests”:

· A 2005 FBI survey estimated that U.S. businesses lost $67.2 billion because of cyber crime.

· The estimated losses associated with identity theft in 2006 are $49.3 billion.

As software becomes the target for criminals, it is more critical than ever to make security an integral part of the software development process. Ever since Bill Gates’ 2002 Trustworthy Computing memo Microsoft has been infusing security into its software development lifecycle with the goal of protecting customers by reducing the number and severity of vulnerabilities in code.

Introducing: The Microsoft Security Development Lifecycle (SDL)

The Microsoft SDL is the industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process. . It has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server.

Go to www.microsoft.com/sdl to learn more about the Microsoft SDL and how you can leverage SDL resources and best practices to “bake security in” to your software applications.