Fail Safe - Your application must always fail safe. That is to say if it encounters a situation and it can no longer proceed, it must deny access to the resource. For example, if a firewall can not validate the action that is being requested by the requester, it should reject the operation; this is known as fail close or fail safe.
Secure the Weakest Link – The security of an application is that of its weakest link thus, it is important that all components in the application are secured and not just the operating system or database server. This also means that as a developer you must protect any resources your code owns or is responsible for.
Security Through Obscurity Does Not Work – Obscurity should not be used as the only or primary security mechanism.
Simplicity - Complexity increases the potential risk of problems. Application architecture and implementations should be as simple as is practical. This also makes it easy to do the right thing.
End to End security – Where data requires protection during transportation, it should be enforced from the sender to the recipient (end to end).
Compartmentalize - Applications should compartmentalize user access. Compartmentalization provides user access to data and functions that they require and restricts them from accessing data or functions they do not need.
Defense in Depth - Applications should use multiple layers of security. This ensures that if one security mechanism is vulnerable to an attack, an additional layer will still enforce an adequate security policy. Password files for example, should be restricted by access control lists and encryption. Similarly even if data is validated, the use of stored procedures or prepared SQL statements is strongly recommended since it adds an additional layer of defense.
Least Privilege – Applications should run with the minimum amount of system privileges that they need to function. Where elevated privileges are required they should be granted for the minimum period of time they are required. A similar principle is the “need to know” principle. Ensure that only the minimum number of people have administrative level access to production web, database and application servers.
Trust but Verify – Applications need to trust other applications or objects on the same host or on the network, however, they must always verify the source they are trusting. The same also applies to users and their actions. For instance, before performing any administrative action, it is important to check that the requesting user is indeed an administrator authorized to request such an action.
Think Strategically – There are no security silver bullets. Security requires constant monitoring and improvement and is not somebody else’s responsibility. Pay special attention to architecting the right solution so that it maybe reused frequently. The use of software design patterns like Model-View-Controller (MVC) and frameworks like JAVA Struts are therefore strongly encouraged.
Attribution
This content was provided by Foundstone and prepared by Nick Murison.
Tuesday, June 28, 2005
Thursday, June 09, 2005
SQL Server 2005 Hands-On Labs
Greetings,
Don't have a machine to spare for Beta testing. Don't want to go thru the messy install-test-wipe-install-test cycle? Try out the SQL Server 2005 hands-on labs.
SQL Server 2005 hands-on labs give you the opportunity to try out the new and improved features and technologies that the new version will make available to database developers.
/Gill
Don't have a machine to spare for Beta testing. Don't want to go thru the messy install-test-wipe-install-test cycle? Try out the SQL Server 2005 hands-on labs.
SQL Server 2005 hands-on labs give you the opportunity to try out the new and improved features and technologies that the new version will make available to database developers.
/Gill
SQL Server is now at TechCenter
The SQL Server has it's own TechCenter at TechNet.
http://www.microsoft.com/technet/prodtechnol/sql/default.mspx.
/Gill
http://www.microsoft.com/technet/prodtechnol/sql/default.mspx.
/Gill
Wednesday, June 08, 2005
VSTO (Visual Studio Tool for Office) revisited
Previously i posted some information on VSTO (Visual Studio Tool for Office). In recent days during TechEd 2005 USA, it was announced that the VSTO would also now include Ooutlook support.
So here are tons of resources for working with OUTLOOK using VSTO :)
Download the Visual Studio 2005 Tools for Office – Outlook (Beta)
With the new managed Outlook add-in support, developers have a framework and tools to debug, secure, and deploy the Outlook add-ins they create using Visual Studio 2005 Tools for Office.
Introducing Outlook Add-in Support in Visual Studio 2005 Tools for Office
Outlook add-in support simplifies interaction with the host application and provides a cleaner event framework for creating add-ins along with streamlined security.
Architecture of the Outlook Add-in Support in Visual Studio 2005 Tools for Office
Developers now have a robust, supported way to build managed add-ins for Office that use AppDomain isolation, a type-safe code model, and a strict code access security model.
Visual Studio 2005 Tools for Office - Developer Portal
Check here for the latest articles, code samples, snippets, trainings, and more for Visual Studio 2005 Tools for Office. New content published often!
Also
Don't Miss...
Outlook Add-in Hands-on Labs (Beta)Six new labs designed to help you create and work with Outlook 2003 add-in projects.
Outlook Add-in Samples (Beta)Five sample projects illustrating features and scenarios for developing Outlook 2003 add-in projects.
Outlook Add-in Snippets (Beta)Microsoft IntelliSense code snippets designed to assist developers with frequently occurring Outlook development tasks.
Get Visual Studio 2005 Beta 2Get the new Visual Studio 2005 Beta 2 release, which includes the latest tools for building Windows, Web, and mobile applications.
Resources:
Office Developer Center (http://msdn.microsoft.com/office)
TechEd 2005 USA
John R. Durant's WebLog (http://weblogs.asp.net/johnrdurant/rss.aspx)
So here are tons of resources for working with OUTLOOK using VSTO :)
Download the Visual Studio 2005 Tools for Office – Outlook (Beta)
With the new managed Outlook add-in support, developers have a framework and tools to debug, secure, and deploy the Outlook add-ins they create using Visual Studio 2005 Tools for Office.
Introducing Outlook Add-in Support in Visual Studio 2005 Tools for Office
Outlook add-in support simplifies interaction with the host application and provides a cleaner event framework for creating add-ins along with streamlined security.
Architecture of the Outlook Add-in Support in Visual Studio 2005 Tools for Office
Developers now have a robust, supported way to build managed add-ins for Office that use AppDomain isolation, a type-safe code model, and a strict code access security model.
Visual Studio 2005 Tools for Office - Developer Portal
Check here for the latest articles, code samples, snippets, trainings, and more for Visual Studio 2005 Tools for Office. New content published often!
Also
Don't Miss...
Outlook Add-in Hands-on Labs (Beta)Six new labs designed to help you create and work with Outlook 2003 add-in projects.
Outlook Add-in Samples (Beta)Five sample projects illustrating features and scenarios for developing Outlook 2003 add-in projects.
Outlook Add-in Snippets (Beta)Microsoft IntelliSense code snippets designed to assist developers with frequently occurring Outlook development tasks.
Get Visual Studio 2005 Beta 2Get the new Visual Studio 2005 Beta 2 release, which includes the latest tools for building Windows, Web, and mobile applications.
Resources:
Office Developer Center (http://msdn.microsoft.com/office)
TechEd 2005 USA
John R. Durant's WebLog (http://weblogs.asp.net/johnrdurant/rss.aspx)
Sunday, June 05, 2005
Reading and Writing XML in .NET Version 2.0 - Part I
Read this article about XML and .Net 2.0. If you have never used the XML handling classes in 1.x, now is the best time. The XML classes has never been easier to use and there so much less code to write. The article makes it so easy to understand this XML classes. Read on...
Cheers
Sarbjit Gill
Cheers
Sarbjit Gill
Wednesday, June 01, 2005
Technical Articles for BizTalk 2004
Greetings,
The following are some technical articles for BizTalk 2004. Some are relatively new and some updates. For example if you thinking on how to prioritize messages going into processing by an orchestration, then you should look at the BizTalk Server 2004 Convoy Deep Dive.
Anyway, here are the articles and the links
BizTalk Accelerator for HL7 Management Pack Guide. This document describes how to deploy and configure the sample HL7 Management Pack (MOM Pack). It also describes the integration of Microsoft BizTalk Accelerator for HL7 (BTAHL7) 1.0 Windows Performance Counters and Windows Management Instrumentation (WMI) events with Microsoft Operations Manager 2005 (MOM).
BizTalk Server 2004 Convoy Deep Dive. This paper discusses examples of business scenarios that require convoy message processing, explains convoy theory and messaging, and reviews each included sample.
BizTalk Server 2004 Deployment Guide for Security. This document provides guidelines to help you assess the potential threats to your BizTalk Server implementation, a sample architecture for small and medium-size companies, and a sample Point of Sale solution.
BizTalk Server 2004 Performance Characteristics. This document provides information about the performance characteristics of key BizTalk Server 2004 configurations and components, such as messaging, pipeline, and orchestration.
BizTalk Server 2004 Technical Guide for High Availability. This document contains information to help you understand, plan, and implement a highly available BizTalk Server 2004 environment.
Build Better Business Processes with Web Services in BizTalk Server 2004. This article focuses on one Web services specification that is critical, yet has been largely overlooked: the Business Process Execution Language for Web Services (BPEL4WS, or BPEL).
Connecting to the Elemica Network with BizTalk Accelerator for RosettaNet 3.0. This document describes how to enable Microsoft BizTalk Accelerator for RosettaNet (BTARN) 3.0 to connect to the Elemica Exchange Server Provider (ESP).
Developing Integration Solutions with BizTalk Server 2004. This document provides developers with techniques for designing, developing, and deploying solutions within BizTalk Server 2004.
Risk Scoring with BizTalk Server 2004 and the Business Rules Framework. This document presents an example BizTalk solution in which an insurance company uses the Business Rules Framework to create a risk profile for qualifying applicants.
Understanding BizTalk Server 2004. BizTalk Server 2004, an integration server, lets you to develop, deploy, and manage integrated business processes and XML-based Web services. This version of BizTalk Server provides integration between messaging and orchestration, and enhanced security and support for industry standards.
Using XML Schemas in BizTalk Server 2004. This document covers the basic concepts needed to create XML schemas and explains how they are used in Microsoft BizTalk Server 2004.
/Sarbjit Gill
The following are some technical articles for BizTalk 2004. Some are relatively new and some updates. For example if you thinking on how to prioritize messages going into processing by an orchestration, then you should look at the BizTalk Server 2004 Convoy Deep Dive.
Anyway, here are the articles and the links
BizTalk Accelerator for HL7 Management Pack Guide. This document describes how to deploy and configure the sample HL7 Management Pack (MOM Pack). It also describes the integration of Microsoft BizTalk Accelerator for HL7 (BTAHL7) 1.0 Windows Performance Counters and Windows Management Instrumentation (WMI) events with Microsoft Operations Manager 2005 (MOM).
BizTalk Server 2004 Convoy Deep Dive. This paper discusses examples of business scenarios that require convoy message processing, explains convoy theory and messaging, and reviews each included sample.
BizTalk Server 2004 Deployment Guide for Security. This document provides guidelines to help you assess the potential threats to your BizTalk Server implementation, a sample architecture for small and medium-size companies, and a sample Point of Sale solution.
BizTalk Server 2004 Performance Characteristics. This document provides information about the performance characteristics of key BizTalk Server 2004 configurations and components, such as messaging, pipeline, and orchestration.
BizTalk Server 2004 Technical Guide for High Availability. This document contains information to help you understand, plan, and implement a highly available BizTalk Server 2004 environment.
Build Better Business Processes with Web Services in BizTalk Server 2004. This article focuses on one Web services specification that is critical, yet has been largely overlooked: the Business Process Execution Language for Web Services (BPEL4WS, or BPEL).
Connecting to the Elemica Network with BizTalk Accelerator for RosettaNet 3.0. This document describes how to enable Microsoft BizTalk Accelerator for RosettaNet (BTARN) 3.0 to connect to the Elemica Exchange Server Provider (ESP).
Developing Integration Solutions with BizTalk Server 2004. This document provides developers with techniques for designing, developing, and deploying solutions within BizTalk Server 2004.
Risk Scoring with BizTalk Server 2004 and the Business Rules Framework. This document presents an example BizTalk solution in which an insurance company uses the Business Rules Framework to create a risk profile for qualifying applicants.
Understanding BizTalk Server 2004. BizTalk Server 2004, an integration server, lets you to develop, deploy, and manage integrated business processes and XML-based Web services. This version of BizTalk Server provides integration between messaging and orchestration, and enhanced security and support for industry standards.
Using XML Schemas in BizTalk Server 2004. This document covers the basic concepts needed to create XML schemas and explains how they are used in Microsoft BizTalk Server 2004.
/Sarbjit Gill
Subscribe to:
Comments (Atom)
