MSDN Magazine: Security Briefs Security Briefs: Cryptographic Agility Bryan Sullivan - August 2009 Even if you use only the most secure algorithms and the longest key lengths, there’s no guarantee that the code you write today will remain secure. A better alternative is to plan for agility from the beginning. Rather than hard-coding specific cryptographic algorithms into your code, use one of the crypto-agility features built into the Microsoft .NET Framework. This article shows you how. Security Briefs: A Conversation About Threat Modeling Michael Howard - May 2009 Listen in on a chat between a developer and security pro that delves into some of the major Security Development Lifecycle (SDL) requirements we impose on product teams here at Microsoft Security Briefs: Protect Your Site With URL Rewriting Bryan Sullivan - March 2009 Learn the numerous ways in which you can rewrite URLs to defend against common Web vulnerabilities. Security Briefs: Getting Started With The SDL Threat Modeling Tool Adam Shostack - January 2009 The Security Development Lifecycle (SDL) threat modeling tool helps you develop great threat models as a backbone of your security process. We'll show you how it works. Security Briefs: Threat Models Improve Your Security Process Michael Howard - November 2008 Using threat models to drive your security engineering process helps prioritize the code review, fuzz testing, and attack surface analysis tasks. Security Briefs: SDL Embraces The Web Bryan Sullivan - September 2008 In this installment we introduce you to new Web-oriented security guidance and tools straight from the Security Development Lifecycle (SDL) team at Microsoft. Security Briefs: Reinvigorate your Threat Modeling Process Adam Shostack - July 2008 In this column the author outlines some approaches to threat modeling that can be employed by development teams of any size. Security Briefs: Penetration Testing James A. Whittaker - May 2008 In this installment of Security Briefs, James Whittaker explains the rules and the pitfalls of penetration testing so you'll know how to avoid them. Security Briefs: Protecting Your Code with Visual C++ Defenses Michael Howard - March 2008 Michael Howard outlines some of the buffer overrun defenses available in Visual C++ 2005 and beyond. Security Briefs: Exploring Claims-Based Identity Keith Brown - September 2007 Keith Brown introduces you to the new identity model in the Microsoft .NET Framework 3.0. Security Briefs: Active Directory Cache Dependencies Keith Brown - July 2007 If you're not taking advantage of Active Directory, you should be. Learn the benefits from Keith Brown. Security Briefs: Events in Windows Vista Keith Brown - May 2007 Security Briefs: Improve Manageability through Event Logging Keith Brown - April 2007 When something goes wrong, a manageable application will tell the administrator how to fix the problem. The Windows Event Log can provide the necessary information. Security Briefs: Using Protocol Transition—Tips from the Trenches Keith Brown - January 2007 Now that Windows Server 2003 is widely deployed, Keith Brown addresses questions from readers who are trying to use protocol transition to build secure gateways into their intranets. Security Briefs: Limited User Problems and Split Knowledge Keith Brown - November 2006 Security Briefs: CardSpace, SqlMembershipProvider, and More Keith Brown - October 2006 This month Keith Brown fields some reader questions on InfoCard turned CardSpace and passwords for SqlMembershipProvider. Security Briefs: Security in Windows Communication Foundation Keith Brown - August 2006 Windows Communication Foundation provides three major protections— confidentiality, integrity, and authentication. This month Keith Brown explains what they can do for you. Security Briefs: Step-by-Step Guide to InfoCard Keith Brown - May 2006 In my April 2006 column I began a discussion of InfoCard, the upcoming identity metasystem, which is being prepared for release in the Windows Vista™ timeframe. If you haven’t read that column, you should definitely start there because I’m going to assume you’re familiar with the basics I covered. Security Briefs: A First Look at InfoCard Keith Brown - April 2006 The Web can be annoying at times. I'm certain that I'm not alone in my frustration with filling out the same old forms on every Web site I visit. Like most other techies, I've acquired many tools over the years to help combat this repetition, and I even wrote my own password manager for my hundreds of different identities on the Web. Security Briefs: Encrypting Without Secrets Keith Brown - January 2006 Do you have a Web site or other system that deals in secrets of any sort? It seems like every time I give a security talk, people ask how to deal with the sticky problem of storing secrets. Connection strings with passwords are an obvious problem. Security Briefs: Security Enhancements in the .NET Framework 2.0 Keith Brown - Visual Studio 2005 Guided Tour 2006 The.NET Framework 2.0 got quite a few security enhancements. This month Keith takes you on a whirlwind tour of the goodies you'll find there. Security Briefs: Security Features in WSE 3.0 Keith Brown - November 2005 I've been spending a lot of time lately building secure Web services with the Microsoft® . NET Framework 2. 0, and Web Services Enhancements (WSE) 3. 0 has been a lifesaver for me, so I thought it would be appropriate to dedicate a column to security features in this new product. Security Briefs: Credentials and Delegation Keith Brown - September 2005 I get loads of security questions from friends and former students, and recently I've gotten a number of questions about building secure data-driven Web sites for internal enterprise systems. I've decided to answer them here to hopefully save you some headaches in your own projects. Security Briefs: Customizing GINA, Part 2 Keith Brown - June 2005 GINA, the Graphical Identification and Authentication component, is a part of WinLogon that you can customize or replace. Last month I introduced GINA customization; this month, I'm going to drill down to implement each of the GINA entry points. Security Briefs: Customizing GINA, Part 1 Keith Brown - May 2005 Over the years I've had many people ask me to write about GINA, the Graphical Identification and Authentication component that serves as the gateway for interactive logons. This month I'll begin my coverage of this topic to help you get started if you're tasked to build such a beast. Security Briefs: Access Control List Editing in .NET Keith Brown - March 2005 Access control lists (ACLs) can be complex beasts, and user interfaces for editing them are incredibly tricky to implement properly. That's why I was really excited when Windows® 2000 shipped with a programmable ACL editor, shown in Figure 1. Security Briefs: Security Enhancements in the .NET Framework 2.0 Keith Brown - January 2005 As I write this column, version 2. 0 of the Microsoft® . NET Framework is at Beta 1. When I got my bits, I hacked together a little program to dump all of the public members of all public types in the entire Framework and ran it on version 1. Security Briefs: Password Minder Internals Keith Brown - October 2004 In my last column I introduced Password Minder, the tool I use to manage all of my passwords. It generates a long, random password for each site I visit, and makes it possible for me to use the most complex passwords possible, without ever having to see the actual password material or type it in manually. Security Briefs: Mind Those Passwords! Keith Brown - July 2004 Security Briefs: Beware of Fully Trusted Code Keith Brown - April 2004 The vast majority of managed applications run with full trust, but based on my experience teaching . NET security to developers with a broad range of experience, most really don't understand the implications of fully trusted code. Security Briefs: Hashing Passwords, The AllowPartiallyTrustedCallers Attribute Keith Brown - August 2003 Keith Brown describes how yo can hash passwords when you want to store them in your own custom database, and when to use the AllowPartiallyTrustedCallers attribure on your assembly. Security Briefs: Exploring S4U Kerberos Extensions in Windows Server 2003 Keith Brown - April 2003 Building Web sites that provide services external to the corporate firewall is tricky. Usually it's not desirable to grant corporate domain accounts to external clients, and from a purely practical standpoint Kerberos does not work well over the Internet due to the typical configuration of client-side firewalls. Security Briefs: Managed Security Context in ASP.NET Keith Brown - January 2002 Security Briefs: ASP.NET Security Issues Keith Brown - November 2001 Security Briefs: The Security Support Provider Interface Revisited Keith Brown - April 2001 Security Briefs: Explore the Security Support Provider Interface Using the SSPI Workbench Utility Keith Brown - August 2000 Security Briefs: Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utillity Keith Brown - May 2000 Security Briefs: Exploring Handle Security in Windows Keith Brown - March 2000