Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

patterns & practices Application Security Guidance for .NET Framework 2.0

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Kishore Gopalan

Microsoft Corporation

August 2005

Summary

This page explains the rationale behind the patterns & practices Security Guidance for .NET Framework 2.0 project and provides an index into the guidance. You can use the guidance referenced on this page to improve both the security of your applications and your approach to building secure applications.

Contents

Overview
Approach
About the Project
Guidelines
Checklists
Practices at a Glance
Explained
How Tos
Security Engineering
Security Design Guidelines
Threat Modeling Security Architecture and Design Review Security Code Review Security Deployment Review

Overview

The purpose of this project is to provide world-class security guidance for Microsoft .NET Framework 2.0 centered on the following themes:

  • Security engineering. Security engineering represents the set of life-cycle activities that are proven to produce more secure software.
  • Application scenarios. Application scenarios represent end-to-end guidance for building and deploying secure software in common user scenarios.
  • Technical guidance. Technical guidance represents precise, context-specific guidance to solve particular engineering problems.

Approach

The project has adopted the following approach:

  • Modular guidance. Successful guidance is modular, specific, and accessible. When you have a specific security problem, whether it involves process or technology, you should be able to quickly find guidance that precisely applies and gives you with the set of steps to solve the problem quickly.
  • Tools integration. The MSF Agile process guidance that ships with Visual Studio 2005 Team System incorporates the patterns & practices security engineering practices.
  • Validation. Industry leaders, experts, customers, and product groups and product support teams at Microsoft validate the guidance.

About the Project

In the past few years, Microsoft has made sweeping changes to development processes to ship more secure software. This includes process changes, such as the Secure Windows Initiative and the Trustworthy Computing Release Process, as well as technology initiatives such as managed code. Along the way, we have talked to experts in the industry and learned a lot about developing secure applications. The motivation for this project is to distill the best engineering practices, secure application scenarios, and technology advice into guidance that you can use to make your applications as secure as possible. For more information about the project, see About the Project: patterns & practices Security Guidance for .NET Framework 2.0.

Guidelines

Guideline modules organize key information and explain what to do, why, and how. Guideline modules often have corresponding checklists.

Checklists

Checklists enumerate recommendations as itemized lists. The recommendations within the checklists are typically organized using an information model based on a problem domain.

Practices at a Glance

Practices at a Glance modules are quick answers organized around common tasks and questions.

Explained

Explained modules address how things work along with design intentions, extensibility points, and usage scenarios.

How Tos

How Tos provide step-by-step, task-based guidance.

Security Engineering

patterns & practices Security Engineering builds on, refines, and extends core development activities to create security-specific activities.

Security Design Guidelines

Security design guidelines provide pattern-based recommendations around architecturally significant challenges. See the following security design guidelines resource.

Threat Modeling

Threat modeling is an engineering technique that can help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk. See the following threat modeling resource.

Security Architecture and Design Review

Security architecture and design reviews provide question-driven analysis of key application design decisions. See the following security architecture and design review resource.

Security Code Review

Security code reviews provide question-driven analysis of coding practices and implementation. See the following security code review resource.

Security Deployment Review

Security deployment reviews provide configuration and run-time analysis. See the following security deployment review resource.

Feedback

Provide feedback by using either a Wiki or e-mail:

We are particularly interested in feedback regarding the following:

  • Technical issues specific to our recommendations
  • Usefulness and usability issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, see the Microsoft Support Web site at http://support.microsoft.com.

Community and Newsgroups

Community support is provided in the forums and newsgroups:

To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you should use the ASP.NET Security forum.

Contributors and Reviewers

  • External Contributors and Reviewers: Andy Eunson; Anil John; Akshay Aggarwal; Brian Cowan; Brian Gran, Ascentium Corporation (Threat Modeling); Chris Ullman; Darren Simmonds, Ascentium Corporation (Threat Modeling); David Raphael, Foundstone Professional Services ; Eric Marvets, Dunn Training and Consulting; Frank Heidt; Jan Drake, Ascentium Corporation (Threat Modeling); Jason Taylor, Security Innovation ; Keith Brown, Pluralsight LLC (Threat Modeling); Manoranjan M Paul; Mark Curphey, Foundstone Professional Services; Michael Panciroli, Ascentium Corporation (Threat Modeling); Mrinal Bhao, Infosys Technologies Ltd (Threat Modeling); Pete Coupland, VMC Consulting Corporation (Threat Modeling); Rudolph Araujo, Foundstone Professional Services
  • Microsoft Contributors and Reviewers: Adam Semel (PSS); Aaron Margosis ; Bradley Millington (ASP.NET); Brian Johnson; Charlie Kaufman (CLR); Corey Ladas (EEG); Dave McPherson; Denny Dayton; Devendra Tiwari; Don Wilits ; Edward Jezierski; Eric Rachner; Erik Olson; Girish Chander; Hao Kung; Jason Hogg; Jonathan Wanagel; Kate Baroni; Kent Sharkey (MSDN); Maarten Van De Bospoort; Mike Downen; Naveen Yajaman; Nobuyuki Akama (MCS); Randy Miller (MSF Agile); Rick Somona; Rico Mariani (CLR); Rob Beck; Shawn Veney (ACE Team); Shai Kariv; Stefan Schackow (ASP.NET); Tom Christian (PSS); Vikas Malhotra (ASP.NET); Wade Mascia (PSS)
  • Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Sameer Tarey, Infosys Technologies Ltd.
  • Edit team: Nelly Delgado, Microsoft Corporation; Tina Burden McGrayne, TinaTech Inc.
  • Release Management: Sanjeev Garg, Microsoft Corporation

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.