Security Blog

Implementation of the SDL in Industry: Symantec

Tue, 31 Oct 2006 11:54:58 -0500

I ran across an interesting news release from Symantec the other day. Symantec had a Market Research company do some research into Application Security and how organizations were implementing Application Security into their development processes. The results were interesting, though not very surprising.

Code Signing vs Code Hashing

Fri, 27 Oct 2006 16:51:34 -0500

Once you�ve made sure that your application has been written in a secure manner you have one last step to occur. You need to ensure that the Application that is located in the Production environment is the one that you have approved. In other words, you need a mechanism to ensure that Applications aren�t changed without going through a proper Change Mgmt process. That process would be Code Signing

Security Testing: The Last Stage of the SDL

Tue, 24 Oct 2006 03:40:45 -0500

When most people think about Application Security, they don�t think about a Security Development Lifecycle. What they think about is Testing Applications after they�ve been written to see if they�ve been written securely. Nice idea but, if you�ve been keeping up with this blog, you understand the need for the full SDL. That said, it�s now time to actually talk about Application Security Testing.

Checklists - Standardizing Architecture Reviews

Mon, 09 Oct 2006 11:59:47 -0500

Once an Architecture is done, it�s time to review it to make sure it covers all aspects of the Threats and Risks that the Application needs to deal with. But how thoroughly the Architecture gets reviewed is based on the person that is doing the reviewing. How well I review the Architecture is different from how well a novice would review the Architecture. And that�s where Checklists come in.

Review: Microsoft's Threat Modeling Tool

Tue, 26 Sep 2006 11:39:36 -0500

In my previous Blog, I went over the importance of doing Threat Modeling prior to putting together your Architecture in order to understand the threats and risks that you need to deal with. But this is primarily a manual process. One of the tools that I�ve run across is Microsoft�s Threat Modeling tool, which can assist in the development of your Threat Model. Plus it has the added benefit of being free. That said, remember that you get what you pay for.

Threat Modeling: The First Step in Architecting

Tue, 19 Sep 2006 03:58:15 -0500

Before you start to develop your Architecture, you need to take a close look at the Threats that will put your Application at Risk. To do that, you need to start the process of Threat Modeling.

Business Requirements: The SDL driver.

Fri, 08 Sep 2006 08:16:06 -0500

Typically, when you start putting together an Architecture, you start off by gathering the business requirements that are driving the project. In the case of Application Security, this isn�t any different.

How to Protect Your Intellectual Property? DRM!

Fri, 01 Sep 2006 01:07:56 -0500

I was going to expand on my last blog about the SDL but I've had all sorts of questions this week from numerous different sources that asked the same question: How do you protect your Application Intellectual Property? My answer: DRM

The Importance of SDL

Mon, 28 Aug 2006 00:43:19 -0500

One of the first things that I came to understand is that looking at Application Security requires looking at the entire Software Engineering process rather than just one area, such as the Testing and Review phase. As a result, my advice to you is to develop a full Secure Development Lifecycle (SDL).

Introduction to Lock It Up

Wed, 23 Aug 2006 18:28:50 -0500

When I started thinking about writing this Blog, I asked myself what type of information could I provide to everyone that would be interesting? Could I provide Web Services Security information? Could I write about the correct way to code a function? Could I go into specific technologies around Application Security like XML Firewalls and Federation?