Export (0) Print
Expand All

patterns & practices Web Application Security Engineering Index

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Kishore Gopalan

Microsoft Corporation

August 2005

Summary

This page provides an index to available and emerging guidance for patterns & practices Web Application Security Engineering. The modules in this index build upon the security engineering approach outlined in the patterns & practices Security Engineering Index. View the Security Engineering Index to see the complete list of available modules and to learn more about the motivation behind each Security Engineering activity. View the modules in this index to learn how to apply these activities specifically to Web applications. These security activities are integrated in MSF Agile, available with Visual Studio Team System. This provides tools, guidance, and workflow to help make security a seamless part of your development experience.

Contents

Web Application Security Engineering Approach
Security Frame
Security Design Guidelines
Threat Modeling
Security Architecture and Design Review
Security Code Review
Security Deployment Review
Security Guidelines
Additional Resources

Web Application Security Engineering Approach

To design, build and deploy secure Web applications, you must integrate security into your development lifecycle and adapt your current software engineering practices and methodologies to include specific security-related activities as shown in Figure 1.

Security Overlay

Ff649452.securityinlifcycle(en-us,PandP.10).gif

Figure 1. Security activities in the application development life cycle

These activities include:

  • Identifying security objectives.
  • Applying security design guidelines.
  • Creating threat models.
  • Conducting security architecture and design reviews
  • Performing regular security code reviews.
  • Security testing.
  • Conducting security deployment reviews.

These activities form the core of a successful security engineering process and can be applied to any application type. However, Web applications are unique and so each step must be tuned in order to meet the specific security needs of the Web.

The modules in this index build upon the security engineering approach outlined in the patterns & practices Security Engineering Index. View the Security Engineering modules to learn more about Security Engineering and the motivation behind each activity. View the modules in this index to learn how to apply these activities specifically to Web applications.

Security Frame

Security frames define a set of pattern-based categories that organize repeatable problems and solutions. You can use these categories to divide your application architecture for further analysis and to help identify application vulnerabilities. The categories within the frame represent the critical areas where mistakes are most often made. See the following security frame:

Security Design Guidelines

Security design guidelines provide pattern-based recommendations on architecturally significant challenges. See the following security design guidelines resources:

Threat Modeling

Threat modeling is an engineering technique that can help you identify threats, attacks, vulnerabilities, and countermeasures that can affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk. See the following Threat Modeling resource:

Security Architecture and Design Review

Security architecture and design reviews provide question-driven analysis of key application design decisions. See the following security architecture and design review resource:

Security Code Review

Security code reviews provide question-driven analysis of coding practices and implementation. See the following security code review resource:

Baseline Code Review Activity

Question Lists

Specific Issues

Checklists

.NET Framework Version 1.1 Code Review Guidance

Security Deployment Review

Security deployment reviews provide configuration and run-time analysis. See the following security deployment review resource:

Security Guidelines

Security Guidelines are specific, actionable recommendations at the implementation level. Each recommendation is presented to address "what to do", "why", and "how." The recommendations are principle-based and they are organized using pattern-based categories for easy consumption. See the following security guidelines:

Additional Resources

Feedback

Provide feedback by using either a Wiki or e-mail:

We are particularly interested in feedback regarding the following:

  • Technical issues specific to recommendations
  • Usefulness and usability issues

Contributors and Reviewers

  • External Contributors and Reviewers: Jason Taylor, Security Innovation
  • Microsoft IT Contributors and Reviewers: Shawn Veney
  • Microsoft Production Group Contributors and Reviewers: Don Willits
  • Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
  • Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
  • Release Management: Sanjeev Garg, Microsoft Corporation

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show:
© 2014 Microsoft