Abolfazl Hadi

According to research firm Gartner, attacks trend is toward  applications instead of infrastructures, so for me as an application architect, security is more important than the past.When I was preparing “Application Security” course, I asked my self “which subjects do we study for improving our knowledge about application security?”. I think considering security affects all main activities of software development lifecycle like as analysis, design, architecture, build, test and deployment.The followings are top ten books about security that help in entering security in application development lifecycle, introducing security design guidelines, discussing cryptography best practice, explaining security engineering and a lot of significant materials that are waiting for you to read them!

Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World Author: Michael Howard ISBN: 9780735617223

 

.NET Development Security Solutions Author: John Paul Mueller ISBN: 9780782142662

 

The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software Author: Michael Howard ISBN: 9780735622142

 

Security Engineering Explained Author: Microsoft

 

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them Author: Michael Howard ISBN: 9780071626750

 

WCF Security Guide,Scenarios and Implementation Guidance for WCF Author: Microsoft

 

Foundations of Security: What Every Programmer Needs to Know (Expert's Voice) Author: Neil Daswani ISBN: 9781590597842

 

SOA Security Author: Ramarao Kanneganti ISBN: 9781932394689

 

A Guide to Claims-Based Identity and Access Control (Patterns & Practices) Author: Dominick Baier ISBN: 9780735640597

 

Ajax Security Author: Billy Hoffman ISBN: 9780321491930

 

Quote of the Day:
No mind is thoroughly well-organized that is deficient in a sense of humor.
--Samuel Taylor Coleridge

Introduction

Toady's,almost all systems are connected and  security aspect of the application  is more important than the past.According to Gartner trend of attacks changed from networks and infrastructures to applications.For developing secure application, we need to change our thinking approach about security. We must create awareness in our development team (or in our organization), train team members in security concerns, tailor security in development life cycle, model threats, review application parts to find out security vulnerabilities, use experts for doing  penetration tests, provide an infrastructure to delivering security patch to users as soon as possible and so on.

By using proper tools for developing and deploying secure application, we ensure that modeling, reviewing, and analyzing of security aspects of  the application is more structural, accurate and fast.But which types of security tools we need ?

Sample Scenario

Suppose you are developing a software application that will be deployed on a server. The following shape depicts the scenario:

 

 

Types of Security Tools

The followings are types of security tools that a developer needs to model,develop and deploy software solutions :
 

• Development Tools
  • Threat Modeling Tools
  • Security Guidelines Analyzer Tools 
  • Vulnerability Code Analyzer Tools
• Deployment Tools
  • Signing Tools
  • Obfuscator Tools
  • Configuration Analyzer Tools
  • Secure Auto-Update Tools 
  • Application Firewall Tools
• Penetration Tools
  • Resource Enumerator Tools
  • Vulnerability Scanner Tools
     
     

Security Tools Usage in Sample Scenario

 

 

Quote of the Day:
In life, as in chess, forethought wins.
--Charles Buxton

• After six month, I almost finished developing my last course : Application Security! The following are topics that is discussed in this course :

 Session 1 -Introduction

• Introduction to Security
• Main Concepts
• Authentication, Authorization, Auditing
• Confidentiality, Integrity, Availability

 

Session 2- Top Ten Security Bugs (1)

• SQL Injection
• DOM-based XSS
• Stored XSS
• HTTP Response Splitting
• Cross-site Request Forgery

 

Session 3- Top Ten Security Bugs (2)

• Predictable Cookie
• Hidden Fields
• Executing Code with Too much Privilege
• Mobile Code
• Use of Weak Password-based System

 

Session 4- Thread Modeling

• STRIDE Approach
• Microsoft Security Development Lifecycle (SDL)
• Session 5- Code Access Security
• CAS Basics
• Writing Secure Assemblies
• Controlling Access Permission

 

Session 6- Cryptography

• Hashing
• Symmetric Algorithms
• Asymmetric Algorithms

 

Session 7- ASP.Net Security

• Forms Authentication/Membership/Role Management Overview
• Implementing Custom Role Provider
• Top Ten Security Mistakes in ASP.Net

 

Session 8- IIS/ SQL Server Security

• Authentication in IIS
• Implementing HTTPS

 

Session 9- Active Directory

• Active Directory Integration
• Active Directory Application Mode (ADAM)
• Active Directory Federation Services Overview

 

Session 10- WCF Security

• Security Types
• Using Certificates
• Federated Security Overview

 

Session 11- Designing Authentication/Cryptography Mechanisms

• Implementing Single-Sign-On
• Using Application Service Client Profile
• Using Security Application Block

 

Session 12- Designing Authorization Mechanism

• RBAC Standard
• Using Authorization Manager

 

Session 13- ISO 27001 Overview

• Basics of ISO 27001
• ISO 27001 Processes

 

Session 14- Security Tools

• Code Analysis Tools
• Thread Modeling Tools
• Security Test Tools