Export (0) Print
Expand All

Foreword by Michael Howard

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Foreword by Michael Howard

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla, and Anandha Murukan

Microsoft Corporation

June 2003

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Foreword

The notion that security is only as good as the weakest link is as valid today as it was 15 or so years ago, and it is especially true in today's Web-enabled applications. This truism was emphasized during the eWeek OpenHack contest of October 2002, when various software vendors were pitted against each other in the most hostile of environments — the Internet. During the contest, the computer running Oracle 9i Application Server was compromised in a little over two hours. The defect, that of not checking that user input was well formed and correct, was not in the core Oracle software. The error lay in the custom application that rode atop the server software. The same error could easily have occurred in any Web-based application written in, say, ASP.NET, Perl, or PHP.

Based on my experience, I can safely say that many people focus on securing the "core" code and features, and give the security of features that depend on the core short shrift. You simply cannot do this in a hostile environment such as the Web. Building secure systems requires skill, education, and discipline at every stage of development: from design to coding to testing to documentation to deployment, and finally, to management. Each and every step must be as secure as possible. This is why I am excited about Improving Web Application Security: Threats and Countermeasures. It's the first book to offer a "soup to nuts" view of building a secure Web-based system using the Microsoft .NET Framework and ASP.NET. The fact that the authors chose to focus on the Web-based product development end-to-end lifecycle — and not just on securing small islands of technology — is a testament to much of the work we are undertaking at Microsoft as part of the Trustworthy Computing initiative. Delivering security and privacy to customers requires the engagement of every person involved in the software process, rather than focusing on single events or a single development discipline.

This book has something of value for everyone involved in software development, deployment, and management, because everyone involved in these efforts has an impact on product security. I would urge you, at a minimum, to read the sections that affect your discipline. You will learn critical skills, and most importantly, you will secure every link in the chain. After all, it takes only one loose thread and the entire garment unravels!

Michael Howard

Senior Program Manager, Secure Windows Initiative

Co-author Writing Secure Code

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show:
© 2014 Microsoft