Export (0) Print
Expand All

Foreword by Joel Scambray

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

June 2003

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Foreword

I have been privileged to contribute to Improving Web Application Security: Threats and Countermeasures, and its companion volume, Building Secure ASP.NET Web Applications. As someone who encounters many such threats and relies on many of these countermeasures every day at Microsoft's largest Internet-facing online properties, I can say that this guide is a necessary component of any Web-facing business strategy. I'm quite excited to see this knowledge shared widely with Microsoft's customers, and I look forward to applying it in my daily work.

There is an increasing amount of information being published about Internet security, and keeping up with it is a challenge. One of the first questions I ask when a new work like this gets published is: "Does the quality of the information justify my time to read it?" In the case of Improving Web Application Security: Threats and Countermeasures, I can answer an unqualified yes. J.D. Meier and team have assembled a comprehensive reference on Microsoft Web application security, and put it in a modular framework that makes it readily accessible to Web application architects, developers, testers, technical managers, operations engineers, and yes, even security professionals. The bulk of information contained in this work can be intimidating, but it is well-organized around key milestones in the product lifecycle — design, development, testing, deployment, and maintenance. It also adheres to a security principles-based approach, so that each section is consistent with common security themes.

Perhaps my favorite aspect of this guide is the thorough testing that went into each page. During several discussions with the guide's development team, I always came away impressed with their willingness to actually deploy the technologies discussed herein to ensure that the theory portrayed aligned with practical reality. They also freely sought out expertise internal and external to Microsoft to keep the contents useful and practical.

Some other key features that I found very useful include the concise, well-organized, and comprehensive threat modeling chapter, the abundant tips and guidelines on .NET Framework security (especially code access security), and the hands-on checklists for each topic discussed.

Improving Web Application Security: Threats and Countermeasures will get any organization out ahead of the Internet security curve by showing them how to bake security into applications, rather than bolting it on as an afterthought. I highly recommend this guide to those organizations who have developed or deployed Internet-facing applications and to those organizations who are considering such an endeavor.

Joel Scambray

Senior Director of Security, MSN

Co-Author, Hacking Exposed Fourth Edition, Windows, and Web Applications

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show:
© 2014 Microsoft