Active Directory Cache DependenciesCode download available at: SecurityBriefs2007_07.exe (182 KB) Browse the Code Online If you are in the process of building an application that can be used anywhere in an enterprise, chances are you could benefit by integrating with Active Directory®. There’s a wealth of information right there for the taking if you’re willing [...]
Tag Archives: Briefs
Security Briefs: Using Protocol Transition—Tips from the Trenches
Posted by james on October 6, 2011
0 comments
Here is the same content in en-us.Using Protocol Transition—Tips from the TrenchesCode download available at: SecurityBriefs2007_01.exe (172 KB) Browse the Code Online I covered protocol transition and constrained delegation in detail in a previous Security Briefs column, where I dove in deep and looked at the underlying S4U Kerberos extensions that actually make it work. [...]
Security Briefs: Mind Those Passwords!
Posted by james on September 28, 2011
0 comments
Code download available at: SecurityBriefs0407.exe (349 KB) Browse the Code Online Passwords are necessary evils. The way most password-based authentication works these days, the length and complexity of your password is directly related to how difficult it would be for an attacker to impersonate you. For example, if you choose “password” as your password, an [...]
Security Briefs: Credentials and Delegation
Posted by james on September 4, 2011
0 comments
Code download available at: SecurityBriefs0509.exe (124 KB) Browse the Code Online I get loads of security questions from friends and former students, and recently I’ve gotten a number of questions about building secure data-driven Web sites for internal enterprise systems. I’ve decided to answer them here to hopefully save you some headaches in your own [...]
Security Briefs: Step-by-Step Guide to InfoCard
Posted by james on August 30, 2011
0 comments
Step-by-Step Guide to InfoCardCode download available at: SecurityBriefs05.exe (125 KB) Browse the Code Online In my April 2006 column I began a discussion of InfoCard, the upcoming identity metasystem, which is being prepared for release in the Windows Vista™ timeframe. If you haven’t read that column, you should definitely start there because I’m going to [...]
Security Briefs: Protect Your Site With URL Rewriting
Posted by james on August 14, 2011
0 comments
Protect Your Site With URL RewritingTim Berners-Lee once famously wrote that “cool URIs don’t change.” His opinion was that broken hyperlinks erode user confidence in an application and that URIs should be designed in such a way that they can remain unchanged for 200 years or more. While I understand his point, I’ll venture to [...]
Security Briefs: Getting Started With The SDL Threat Modeling Tool
Posted by james on August 8, 2011
0 comments
Getting Started With The SDL Threat Modeling Tool Figure 1 The Threat Modeling ProcessIn November 2008, Microsoft announced the general availability of the Security Development Lifecycle (SDL) Threat Modeling Tool as a free download from MSDN. This column follows a team through the process of getting started with the SDL threat modeling approach and shows [...]
Security Briefs: Protecting Your Code with Visual C++ Defenses
Posted by james on July 31, 2011
1 comment
Protecting Your Code with Visual C++ DefensesA lot of code is written in C and C++ and unfortunately a lot of this code has security vulnerabilities that many developers do not know about. Programs written in any language can have vulnerabilities that leave their users open to attack, but it’s the C and C++ languages [...]
Security Briefs: Reinvigorate your Threat Modeling Process
Posted by james on July 30, 2011
2 comments
Reinvigorate your Threat Modeling ProcessMy colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable photographs (well, those of us old enough to have photos [...]
Security Briefs: Beware of Fully Trusted Code
Posted by james on July 19, 2011
1 comment
The vast majority of managed applications run with full trust, but based on my experience teaching .NET security to developers with a broad range of experience, most really don’t understand the implications of fully trusted code. So I’ve pulled together a number of examples where fully trusted code can skirt around common language runtime (CLR) [...]