Other suggestions: Subscribe to Security lists: [EMAIL PROTECTED], [EMAIL PROTECTED]
Self Education through books Secure Coding: Principles and Practices http://www.amazon.com/exec/obidos/tg/detail/-/0596002424/103-7129116-7330242?v=glance Writing Secure Code 2nd edition http://www.amazon.com/exec/obidos/tg/detail/-/0735617228/103-7129116-7330242?v=glance and Webcast's MSDN Webcast: Secure Mobile Data Using the Microsoft .NET Compact Framework and SQL CE 2.0 - Level 300 Wednesday, September 01, 2004 - 11:00 AM-12:30 PM Pacific Time Rob Tiffany, President, Hood Canal Mobility Would you like to be certain that data on a mobile device is secure? Without needing any knowledge of cryptography, you can build an application that lets users check-in and check-out their sensitive files. This webcast focuses on building an encrypted, password-protected storage vault for files residing on Pocket PCs. http://www.placeware.com/cc/mseventsbmo/join?id=1032257382&role=attend&pw=webcast MSDN Webcast: Essentials of Application Security (Part 1) - Secure Communications - Level: 200 Friday, September 3, 2004 - 9:00 AM-10:00 AM Pacific Time Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation This webcast is the first of a 3-part series about the importance of Application Security and its best practices and guidelines. This part specifically addresses Secure Communications in the context of secure application development. After an overview of the costs of inadequate security and the benefits of developing secure applications, this presentation concentrates on secure communications as part of a larger security solution, examining specific techniques such as using certificates in the Secure Sockets Layer (SSL). The webcast includes two demonstrations: Buffer Overruns and SSL Server Certificates. http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032257602&Culture=en-US MSDN Webcast: Essentials of Application Security (Part 2) - Authentication - Level: 300 Tuesday, September 7, 2004 - 9:00 AM-10:00 AM Pacific Time Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation This webcast is the second of a 3-part series about the importance of Application Security and its best practices and guidelines. This part specifically addresses Authentication in the context of secure application development. After an overview of the costs of inadequate security and the benefits of developing secure applications, we concentrate on Authentication as part of a larger security solution, examining specific Authentication techniques and best practices in IIS. The webcast includes two demonstrations: Buffer Overruns and IIS Authentication Techniques. http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032257885&Culture=en-US MSDN Webcast: "Ask The Developer Security Experts" Series: Windows XP Service Pack 2: A Developer Overview - Level: 200 Tuesday, September 7, 2004 - 11:00 AM-12:00 PM Pacific Time Tony Goodhew, Product Manager, Microsoft This webcast series brings together some of the sharpest security-focused Microsoft developers to provide expert answers to your security questions. Beginning with a brief overview of Windows(r) XP Service Pack 2 (SP2), we will focus the discussion on what these changes mean for you as a developer and how these changes will affect your various development tools. This presentation will be followed by an extensive Q&A period where you can "Ask the Experts" your in-depth questions about Windows XP SP2. Do you have a question you want to submit to the experts before the webcast? Send your security questions about Windows XP SP2 to our panel of experts ahead of time at [EMAIL PROTECTED] http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032257887&Culture=en-US MSDN Webcast: A Hackers View of Your Web Applications Part 1: Procedures for Code Security - Level: 300 Tuesday, September 7, 2004 - 1:00 PM-2:00 PM Pacific Time Dennis Hurst, Senior Consulting Engineer, SPI Dynamics With the threat of cyber attacks, today's Web environment has made application security an essential element in the application development lifecycle. The first part of this two part series will define what Web application security is, why it is needed, and how it differs from other categories of Internet security. Additionally, we will examine appropriate procedures and technologies essential to the security of Web application code. Through a review of recent Web application breaches, we will expose the prolific methods hackers use to execute break-ins via the Web. By taking an in-depth look at how Web-based applications work and the techniques hackers use to exploit them, you will be better equipped to protect your confidential information. http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032257889&Culture=en-US MSDN Webcast: Essentials of Application Security (Part 3) - Authorization - Level: 300 Friday, September 10, 2004 - 9:00 AM-10:00 AM Pacific Time Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation This webcast is the third of a 3-part series about the importance of Application Security and its best practices and guidelines. This part specifically addresses Authorization in the context of secure application development. After an overview of the costs of inadequate security and the benefits of developing secure applications, we concentrate on Authorization as part of a larger security solution, examining Trusted Subsystem Model Authorization techniques and best practices. The webcast includes two demonstrations: Buffer Overruns and Trusted Subsystem Model Authorization Techniques. http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032257892&Culture=en-US MSDN Webcast: A Hackers View of Your Web Applications Part 2: Web Hacking - Attack Scenarios and Examples - Level: 300 Monday, September 13, 2004 - 1:00 PM-2:00 PM Pacific Time Dennis Hurst, Senior Consulting Engineer, SPI Dynamics By taking advantage of the public access to a company and using it to subvert your applications, hackers can gain easy access into your company's sensitive backend data. Firewalls and IDS will not stop such attacks because hackers using the Web application layer are not seen as intruders. In the 2nd part of this two-part series, learn how to defend against attacks at the Web application layer with examples covering recent hacking methods such as: SQL Injection, Cross Site Scripting, Parameter Manipulation, Session Hijacking, and LDAP Injection. http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032257907&Culture=en-US MSDN Webcast: Overview of XP SP2 for Developers - Level: 200 Tuesday, September 14, 2004 - 9:00 AM-10:30 AM Pacific Time Tony Goodhew, Product Manager, Microsoft Review the changes that Windows XP Service Pack 2 delivers and what they mean for you. Windows XP SP2 is designed to deliver a number of safety technologies in the Internet Connection Firewall, Web Browsing experience, Email /IM and Application Memory Protection. Each of these areas has direct impact on developers and this session covers the major items and what you need to know. Learn how these changes will affect your various development tools. http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032257920&Culture=en-US MSDN Webcast: Implementing Application Security Using the .NET Framework Part 1 - Level: 300 Wednesday, September 14, 2004 - 9:00 AM-10:00 AM Pacific Time Rob Jackson, Developer Community Champion, Microsoft Corporation This is part 1 of a 3-part series for experienced developers. In this series, you will learn how to implement additional security features to secure applications that are built on the .NET Framework. You will learn how security features are integrated into the .NET Framework. You will learn how to use both code access security and role-based security to limit vulnerabilities. You will also learn how to use the cryptographic provider support in the .NET Framework to encrypt and sign data. Additionally, you will learn how to secure Web applications and Web services that are built by using ASP.NET. Finally, you will learn a few tips for writing secure code with the .NET Framework. Parts 2 and 3 of the series will be presented on 9/21 and 9/28, respectively. http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032257965&Culture=en-US MSDN Webcast: Writing Secure Code - Threat Defense Part 1 - Level: 200 Friday, September 17, 2004 - 9:00 AM-10:00 AM Pacific Time David Deatherage, , This is part 1 of a 3-part series for experienced developers. In this series, you will learn established best practices for applying security principles throughout the development process. You will learn effective strategies for defending common security threats such as buffer overruns, cross-site scripting, SQL injection, and denial of service attacks. Parts 2 and 3 of the series will be presented on 9/24 and 10/1, respectively. http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258007&Culture=en-US MSDN Webcast: Implementing Application Security Using the .NET Framework Part 2 - Level: 300 Tuesday, September 21, 2004 - 9:00 AM-10:00 AM Pacific Time Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation This is part 2 of a 3-part series for experienced developers. In this series, you will learn how to implement additional security features to secure applications that are built on the .NET Framework. You will learn how security features are integrated into the .NET Framework. You will learn how to use both code access security and role-based security to limit vulnerabilities. You will also learn how to use the cryptographic provider support in the .NET Framework to encrypt and sign data. Additionally, you will learn how to secure Web applications and Web services that are built by using ASP.NET. Finally, you will learn a few tips for writing secure code with the .NET Framework. Part 3 of the series will be presented on 9/28. http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258017&Culture=en-US MSDN Webcast: "Ask The Developer Security Experts" Series: Using WSE to Secure your Web Services with WS-Security - Level: 200 Thursday, September 23, 2004 - 11:00 AM-12:00 PM Pacific Time Maarten Van De Bospoort, Consultant, Microsoft Corporation This webcast series brings together some of the sharpest security-focused Microsoft developers to provide expert answers to your questions about securing your Web services. We will begin this webcast with a brief discussion of the advantages of using WS-Security over traditional wire level security on the protocol level, including an explanation of how WS-Security is built upon XML security and how the new Web Services Enhancements (WSE) make this easy to implement. After this overview, this session will continue with an extensive Q&A period where you can "Ask the Experts" your in-depth questions about securing your web services with WS-Security and WSE. Do you have a question you want to submit to the experts before the webcast? Send your questions about securing Web services to our panel of experts ahead of time to [EMAIL PROTECTED] http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258027&Culture=en-US MSDN Webcast: Writing Secure Code - Threat Defense Part 2 - Level: 200 Friday, September 24, 2004 - 9:00 AM-10:00 AM Pacific Time Ron Cundiff, MSDN Developer Community Champion, Microsoft Corporation This is part 2 of a 3-part series for experienced developers. In this series, you will learn established best practices for applying security principles throughout the development process. You will learn effective strategies for defending common security threats such as buffer overruns, cross-site scripting, SQL injection, and denial of service attacks. Part 3 of the series will be presented on 10/1. http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258029&Culture=en-US MSDN Webcast: Implementing Application Security Using the .NET Framework Part 3 - Level: 300 Tuesday, September 28, 2004 - 9:00 AM-10:00 AM Pacific Time Rob Jackson, Microsoft Corporation This is part 3 of a 3-part series for experienced developers. In this series, you will learn how to implement additional security features to secure applications that are built on the .NET Framework. You will learn how security features are integrated into the .NET Framework. You will learn how to use both code access security and role-based security to limit vulnerabilities. You will also learn how to use the cryptographic provider support in the .NET Framework to encrypt and sign data. Additionally, you will learn how to secure Web applications and Web services that are built by using ASP.NET. Finally, you will learn a few tips for writing secure code with the .NET Framework. http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258031&Culture=en-US MSDN Webcast: Windows XP Server Pack 2 Change Walkthrough - Level: 300 Tuesday, September 28, 2004 - 11:00 AM-12:30 PM Pacific Time Tony Goodhew, Product Manager, Microsoft This session is a detailed walkthrough of the changes to Windows XP with Service Pack 2. It will cover the 4 major areas of change - Networking, Web Browsing, Email/IM and Hardware. In each of these sections the change and its implication will be discussed. http://msevents.microsoft.com/cui/eventdetail.aspx?EventID=1032258033&Culture=en-US HTH, Hans -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth R. van Wyk Sent: Monday, August 23, 2004 8:31 AM To: [EMAIL PROTECTED] Subject: [SC-L] Grass roots secure coding efforts Greetings all, One of the things that I hear most from software developers when I deliver secure coding tutorials and such is that they're likely to be unable to do things like detailed threat modeling, risk analyses, etc. The reason most often cited is that they're under tight deadlines and there's not enough time in the schedule for such activities. Of course, to really expect any sort of culture shift, there would need to be top-level support for adopting secure coding practices. That said, I often spend some time brainstorming lists of things that the students can consider trying by themselves as soon as they are back in their offices. I'm talking about "grass roots" sorts of activities that won't break the bank (or schedule) here. Some of the things that the students have suggested include the following: - Informal peer review of code modules - Incorporation of (usually free) static code review tools in the code reviews - Setting up an information sharing site/portal/drive internally for developers to load useful links, tools, experiences, etc. - and so on Most often, the students agree that these sorts of things are the types of simple first steps that they could reasonably expect to take. Anyone here have other suggestions on other first steps that developers might consider, even in the absence of top-level embracing of a more secure development methodology? (No, I'm not suggesting that a simple list like this be any sort of substitute for a more in-depth program, but it's a starting point for developers to experiment with in trying to improve the security of their software dev practices.) Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
