patterns & practices Security Focus

Hello and welcome to the UK patterns & practices security site. My name is Alex Mackman and I work for CM Group Ltd. I've been working with the patterns & practices team for the best part of four years, developing .NET security guidance. My objective for this site is to spotlight specific aspects of patterns & practices (p&p) security guidance and to provide additional insights about the guidance we have created. I'll be picking a different topic to discuss regularly.

Guidance Explorer October 2006 If you're familiar with patterns & practice guidance materials and in particular their security guidance you'll know that a lot of emphasis is placed on ensuring that the content is presented in a consumable and well organized manner. Indexes, categories and content types are used extensively to help organize the guidance. Examples of the different content types found within patterns & practices security guidance include:

• Checklists. These enumerate recommendations as itemized lists. The recommendations within the checklists are typically organized using an information model based on a problem domain.
• How Tos. These provide step-by-step, task-based guidance in an easy to follow way. They provide the steps you need to follow to perform a common task such as configuring the ASP.NET membership system.
• Practices (mini How Tos). These provide quick answers organized around common tasks and questions. Think of them as mini How Tos.
• Explained. These address how things work along with design intentions, extensibility points, and usage scenarios.
• Guidelines. These represent the "what to do, why and how". Each set of guidelines usually has a corresponding checklist. A guideline is of limited use only if you can't implement the guideline. For this reason, guidelines include the "how" which explains what you need to do to implement the guideline. Some guidelines have this information inline if there are only a few implementation steps. Alternatively, other guidelines reference associated How Tos if more detail step-by-step procedures are required,
• Principles. These are principles that have proven themselves over time. They help to put other guidelines and recommendations into context.
• Scenarios and Solutions. These show common end-to-end application scenarios, such as a Web server to database server intranet scenario, and present the common solutions. Each Scenario and Solution includes skeletal representations of the before and after pictures. They highlight the key issues and the main engineering decisions that represent risk.

The beauty of organizing content in this way is that you're not forcing a reader to read an entire book or even an entire chapter in order to get to the information or knowledge that they require to get their job done. Typically you either want to further your understanding of a particular subject or you want to quickly locate the specific guidance that helps you to get your job done. If you're interested in finding out how things work then you can read the Explained articles. If you have a specific task that just needs to be done you can read the associated How To. If you're looking for a wider set of recommendations corresponding to a particular scenario you can see if there is a scenario and solution that closely matches your requirements. If you want help validating the code that you've written or want a constant reminder of the right things to do while designing your code you can consult the checklists or perhaps have a hard copy to hand on your desk.

I should also remind you that all of the recent security guidelines and checklists from a variety of patterns & practices deliverables have been collated in the Developer Highway Code.

Download the Developer Highway Code PDF

So What's the Problem?

Although highly consumable there are a lot of guidelines to follow! Which ones are relevant to you? Which ones apply to you particular style of application or your choice of implementation technology? Which are the key guidelines that you want to ensure that your project team follow? What if you have additional specific guidelines related to your particular application that you want your team to follow? What's really needed is a tool that will help you browse, filter and search the guidelines relevant to you and to share views of the guidelines with the rest of your project team. Enter Guidance Explorer.

What is Guidance Explorer?

Guidance Explorer is a tool from the patterns & practices team that lets you find security (and also performance and scalability) guidance for .NET and ASP.NET applications that is relevant to you and your particular application scenario. The guidance is presented according to the content types I've outlined above. You can create customizable views based on the supplied library of guidance and share those views with others. For example you can create views that present the specific set of guidance that you want your project team to adopt on your current project. This allows you to share best practices and to set team standards. Another really powerful feature is that you can adapt the existing library by updating guidance, and you can add your own guidance that might be specific to your own project or application. This is a great way of establishing the standards and the rules to be used on your project.

Here's a screen shot that shows what the tool looks like. Notice the list of views in the left hand pane. Also notice how each column in the right hand pane allows you to apply filters to drill down so that you can see only the guidance that applies for example to your particular implementation technology.

When Would I Use Guidance Explorer?

You can use Guidance Explorer during many stages of the software development lifecycle. For example you can use the guidance during the design phase, during code implementation, solution implementation or while performing review activities such as architecture and design reviews, code reviews, and deployment reviews.

Where Can I Get Guidance Explorer?

Download the tool from the Guidance Explorer home page on GotDotNet

Conclusion

If you're familiar with the patterns & practices security guidance but haven’t seen the Guidance Explorer tool yet, you should check it out. If you're not familiar with patterns & practices security guidance, the tool will provide you with a great way into the guidance. To get started quickly with the tool I'd recommend that you watch the short series of video tutorials (they really are short!) that you can find on the Channel 9 site. Remember that you can customize and share the guidance library and create your own specific set of guidelines for your own project. In my opinion that's the single most powerful feature of the tool and its approach in general.

Watch the video tutorials on Channel 9

Alex

Additional Resources

For more information about patterns & practices Web services security guidance, see:

• Guidance Explorer Home on GotDotNet
  
• Guidance Explorer on Channel 9
  
• Guidance Explorer on CodePlex
  
• A Web-based version of the tool (currently in beta)
  
• patterns & practices Security Guidance for Applications Index