Microsoft is pleased to announce the release of _Improving Web Application Security: Threats and Countermeasures_ This guide helps you build hack-resilient applications. A hack-resilient application is one that reduces the likelihood of a successful attack and mitigates the extent of damage if an attack occurs. A hack-resilient application resides on a secure host in a secure network and is developed using secure design and development guidelines. Web application security must be addressed across the tiers and at multiple layers. A weakness in any tier or layer makes your application vulnerable to attack. Figure 1 shows the scope of the guide and the three-layered approach that it uses: securing the network, securing the host, and securing the application. It also shows the process called threat modeling, which provides a structure and rationale for the security process and allows you to evaluate security threats and identify appropriate countermeasures. If you do not know your threats, how can you secure your system? The guide is divided into five parts. Part I, Introduction to Threats and Countermeasures This part identifies and illustrates the various threats facing the network, host, and application layers. By using the threat modeling process, you can identify the threats that are relevant to your application. This sets the stage for identifying effective countermeasures. This part includes: Foreword by Mark Curphey Foreword by Joel Scambray Foreword by Erik Olson Introduction Solutions at a Glance Fast track Chapter 1, Web Application Security Fundamentals Chapter 2, Threats and Countermeasures Chapter 3, Threat Modeling Part II, Designing Secure Web Applications This part provides the guidance you need to design your Web applications securely. Even if you have an existing application, you should review this section and then revisit the concepts, principles, and techniques that you used during your application design. This part includes: Chapter 4, Design Guidelines for Secure Web Applications Chapter 5, Architecture and Design Review Part III, Building Secure Web Applications This part helps you to apply the secure design practices and principles covered in the previous part to create a solid and secure implementation. You'll learn defensive coding techniques that make your code and application resilient to attack. Chapter 6 presents an overview of the .NET Framework security landscape so that you are aware of the numerous defensive options and tools that are at your disposal. Part III includes: Chapter 6, .NET Security Fundamentals Chapter 7, Building Secure Assemblies Chapter 8, Code Access Security in Practice Chapter 9, Using Code Access Security with ASP.NET Chapter 10, Building Secure ASP.NET Pages and Controls Chapter 11, Building Secure Serviced Components Chapter 12, Building Secure Web Services Chapter 13, Building Secure Remoted Components Chapter 14, Building Secure Data Access Part IV, Securing Your Network, Host and Application This part shows you how to apply security configuration settings to secure the interrelated network, host, and application levels. Rather than applying security randomly, you'll learn the reasons for the security recommendations. Part IV includes: Chapter 15, Securing Your Network Chapter 16, Securing Your Web Server Chapter 17, Securing Your Application Server Chapter 18, Securing Your Database Server Chapter 19, Securing Your ASP.NET Application and Web Services Chapter 20, Hosting Multiple ASP.NET Applications Part V: Assessing Your Security This part provides you with the tools you need to evaluate the success of your security efforts. It shows you how to evaluate your code and design and also how to review your deployed application, to identify potential vulnerabilities: Chapter 21, Code Review Chapter 22, Deployment Review Finally, there are two extra sections, Checklists and and How-to Articles: Checklist: Architecture and Design Review Checklist: Security Review for Managed Code Checklist: Securing ASP.NET Checklist: Securing Enterprise Services Checklist: Securing Web Services Checklist: Securing Remoting Checklist: Securing Data Access Checklist: Securing Your Network Checklist: Securing Your Web Server Checklist: Securing Your Database Server How To: Implement Patch Management How To: Harden the TCP/IP Stack How To: Secure Your Developer Workstation How To: Use IPSec for Filtering Ports and Authentication How To: Use IISLockdown.exe How To: Use the Microsoft Baseline Security Analyzer How To: Use URLScan How To: Create a Custom Encryption Permission How To: Use Code Access Security Policy to Constrain an Assembly This _patterns and practice_ guide is available at: http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp (note, this link may wrap in some email clients) Cheers, Michael Writing Secure Code 2nd Edition http://www.microsoft.com/mspress/books/5957.asp
