Microsoft UK's new developer security education website's main character 'Developer Dave' is not modelled on me, honest guv'nor!
The site can be found here.
The message is actually very clear that it is easy to ignore security in your developments. It's not just developers that produce website that face the Internet that are ay risk, but as many recent surveys have pointed out the largest risk of security breeches comes from inside in organisation. I'm not saying you can't trust your fellow workers, but I am saying protect your systems!
The best way to start including security is right at the start of a project by performing a STRIDE model,
Term |
Definition
|
Spoofing identity |
Illegally obtaining access and use of another person's authentication information, such as a user name or password.
|
Tampering with data |
The malicious modification of data.
|
Repudiation |
Associated with users who deny performing an action, yet there is no way to prove otherwise. (Non-repudiation refers to the ability of a system to counter repudiation threats, and includes techniques such as signing for a received parcel so that the signed receipt can be used as evidence.)
|
Information disclosure |
The exposure of information to individuals who are not supposed to have access to it, such as accessing files without having the appropriate rights.
|
Denial of service |
An explicit attempt to prevent legitimate users from using a service or system.
|
Elevation of privilege |
Where an unprivileged user gains privileged access. An example of privilege elevation would be an unprivileged user who contrives a way to be added to the Administrators group. |
Now I'm not going to tell you how to do this model ... you really MUST buy this book (Writing Secure Code, Second Edition) to do it properly! It is a must have for any .Net developer!
Also perform a STRIDE evaluation on your existing systems to discover how secure they are now!
And remember the two biggest school boy error are,
1) Run under Administrator priviledges on your development PC. Learn to use the 'Run As' command here !
2) Don't run your development projects under Full Trust.