Recently, Microsoft released the new SIR (Security Intelligence Report). This 168-page document provides an overview of all the threats that are out there:

With a collection of data from Internet services and over 600 million computers worldwide, the Security Intelligence Report (SIR) exposes the threat landscape of exploits, vulnerabilities, and malware. Awareness of threats is a preventive step to help you protect your organization, software, and people.

If you’re only interested in the thread-trends in your region, you can go to the Regional Threat Assessment site and select your region.

- The SIR web site
- SIR Volume 11 (PDF)

There are a bunch of new SDL resources available on the Microsoft Security Development Lifecycle page. For every step in the software development process (Requirements, Design, Implementation, Verification, Release) there are tools and/or training videos available. For a video giving an overview of the SDL tools, click here.

Source

Requirements

Templates:

- SDL Process Template for Visual Studio Team System 2008

- MSF-Agile + SDL Process Template for Visual Studio Team System 2010

- MSF-Agile + SDL Process Template for Visual Studio Team System 2008

Videos:

• Introduction to the SDL Process Template for VSTS
• How to set up the SDL Process Template
• How to improve your check-in process
• How to change default work items
• How to use the SDL Process Template documentation and reporting

Design

SDL Threat Modeling Tool

For more information on the treat modeling tool, click here.

Implementation

FxCop 

FxCop analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements. For more information, click here. Watch the video here.

Anti-Cross Site Scripting Library

This is specifically designed to help mitigate the potential of Cross-Site Scripting (XSS) attacks in web-based applications. Watch the video here.

Microsoft Code Analysis Tool .NET

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection. Watch the video here.

Verification

BinScope Binary Analyzer

BinScope Binary Analyzer is a verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations. Watch the video here.

SDL MiniFuzz File Fuzzer

MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. Watch the video here.

AppVerifier

Application Verifier is a runtime verification tool for native code that assists in finding subtle programming errors that can be difficult to identify with normal application testing. For more information, click here.

SDL Regex Fuzzer

SDL Regex Fuzzer is a verification tool to help test regular expressions for potential denial of service vulnerabilities. Watch the video here.

Attack Surface Analyzer Beta

Attack Surface Analyzer is a tool that highlights the changes in system state, runtime parameters and securable objects on the Windows operating system.

Release

The release resources are the same templates and videos as the ones in the Requirements section.

If you want your WCF service to use certificate-based (X.509) certification to authenticate the users accessing your service, you’ll need to provide the right configuration on both the client and the server side. The keyword here is configuration. When I first started searching for a solution I knew it had to be done in the configuration file, but, as usual, I kind of underestimated the amount of configuring that had to be done.

Especially when you’re looking at the generated configuration file provided by Visual Studio, it’s easy to get lost in all the possible security settings. I once attended a course given by Juval Löwy (IDesign) on WCF where he applauded the fact that the WCF-team had made everything configurable and at the same time warned us for the complexity that came with it.

The solution: There is a easy-to-follow example where you can learn how certificate-based authentication for WCF can be done at Mitch Denny’s blog - Using Certificate-based Authentication and Protection with Windows Communication Foundation (WCF)

He starts out by creating a simple WCF service (with 1 HelloWorld-method) and afterwards adding the authentication configuration.

Something I found that might come in handy:

The Microsoft All-In-One Code Framework is a free, centralized code sample library driven by developers' needs. Our goal is to provide typical code samples for all Microsoft development technologies, and reduce developers' efforts in solving typical programming tasks.

Codeplex page

Download (from Codeplex)

Request a code sample

For a full list of downloads (sorted by technology), please check the Codeplex download page. There are samples available for C++, ASP.NET, Silverlight, Azure, Office, Windows, WPF, Windows Security, and many more…

The SDL Developer Starter Kit offers training content and labs to help you establish a standardized approach to rolling out the SDL in your organization—or enrich your existing development practices.

It consists of 14 content modules (with speaker notes, presenter guides, and sample comprehension questions) plus eight MSDN virtual labs with lab manuals—all created to help you build a customized SDL training program for your development teams. – source

Topics covered:

- Banned APIs
- Buffer Overflows
- Code Analysis
- Compiler Defenses
- Cross-Site Scripting
- Fuzz Testing
- Secure Design Principles
- Secure Implementation Principles
- Secure Verification Principles
- Security Code Review
- Source Code Annotation Language
- SQL Injection
- Threat Modeling Principles
- Threat Modeling Tool Principles

You can download the individual videos or a package containing all videos here. The size of the individual videos varies between 14,8 MB and 38,8 MB. The complete package is 324,9 MB.

SecureString is an un-inheritable class which resides in the System.Security namespace. It holds an encrypted string and is disposed of when you’re done using it. This class is mostly used when you want to store a piece of sensitive information in memory (e.g.: social security numbers, bank account information,…). Of course, these are normally stored in encrypted form in the database, but when you are handling a user’s request (he/she is accessing his banking records, or shopping at an online store), at some point you will need the data from the database and use it in your application.

When you want to store some sensitive information in memory, the use of a string raises some issues. It’s immutable (every time you change it a new instance of the string is created) and can’t be deleted from the computer memory at will. So if you’re done using it, the string lives on in memory until it’s cleaned up by the garbage collector. Since you don’t know when this will happen (can be seconds, hours,…) your sensitive information is readable.

Of course, SecureString holds some textual information. Do note that the text you wish to keep in the SecureString-object needs to be added char by char (or when using the constructor, a char pointer and the length as an integer).

   1: string aString = "This is a string";

   2: SecureString secureString = new SecureString();

   3:  

   4: foreach (char c in aString)

   5: {

   6:     secureString.AppendChar(c);

   7: }

   8:  

   9: Console.WriteLine(aString);

  10: Console.WriteLine(secureString);

When you execute that code, you will see that the WriteLine-command using the securestring as a parameter will just give you the base.ToString() value (System.Security.SecureString). This is because SecureString doesn’t override the ToString()-method nor does it provide you with any of the methods available with the regular string-class (substring, indexOf, CompareTo, StartsWith,…)

Let’s have a look at what happens to your text when you use a SecureString. When you have assigned a value to your SecureString class, you can lock it by calling the MakeReadOnly() method. The value is encrypted using DPAPI (Data Protection API) which is the encryption layer used by Microsoft Windows. When you wish to use the value stored in the SecureString object, you will have to use the Marshal class (which can be found in the System.Runtime.InteropServices namespace). Among other things, this class provides methods for allocating unmanaged memory and copying unmanaged memory blocks. This includes methods that will convert the contents of your SecureSting object into an object of type BSTR (basic string or binary string) or a block of ANSI or Unicode memory. Just reading the memory block will only give you the binary data stored in the memory block.

   1: string aString = "This is a string";

   2: SecureString secureString = new SecureString();

   3:  

   4: foreach (char c in aString)

   5: {

   6:     secureString.AppendChar(c);

   7: }

   8:  

   9: Console.WriteLine("Reading the regulare string: "+aString);

  10: Console.WriteLine("Reading the secure string: "+secureString);

  11: Console.WriteLine("Reading the secure string (using Marshal.SecureStringToBSTR): " + Marshal.SecureStringToBSTR(secureString));

  12: Console.WriteLine("Reading the secure string (using Marshal.SecureStringToGlobalAllocAnsi): " + Marshal.SecureStringToGlobalAllocAnsi(secureString));

  13: Console.WriteLine("Reading the secure string (using Marshal.SecureStringToGlobalAllocUnicode): " + Marshal.SecureStringToGlobalAllocUnicode(secureString));

Output:

We can see that the Marshal-methods have gotten something out of the SecureString class, but we can’t do much with those things. To read this memory block in a manner which will present us with a string-representation the Marshal-class provides a PtrToStringBSTR() method. The parameter which you need to provide here is a pointer to the memory-block where your contents are stored. First, we need to create that pointer using the SecureStringToBSTR method (also provided by the Marshal class).

   1: IntPtr ptrToString = Marshal.SecureStringToBSTR(secureString);

   2: Console.WriteLine("Contents of ptrToString: " + ptrToString);

   3: Console.WriteLine("Contents of memory at ptrToString as a string: " + Marshal.PtrToStringBSTR(ptrToString));

Output:

When converting your SecureString object to a pointer , the needed unmanaged memory is allocated to store the string. This means you will always have to clean it up (free the pointer) when you no longer need the object. Again, the Marshal-class provides this possibility in the form of the ZeroFreeBSTR method. This ensures you that the contents of the SecureString object is in plain text only very briefly.

   1: Marshal.ZeroFreeBSTR(ptrToString);

   2: Console.WriteLine("Contents of memory at ptrToString as a string: " + Marshal.PtrToStringBSTR(ptrToString));

   3:  

   4: secureString.Dispose();

ptrToString still points to the memory allocated, but the contents have been cleared and calling the PtrToStringBSTR results into an empty string. SecureString inherits from CriticalFinalizerObject. This means that the finally-block of the SecureString object is always executed (even when the thread terminates abnormally).

As found on The System Center Team blog:

Security Compliance Manager version 1.0 provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization's ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies. Join the beta review program for Security Compliance Manager version 1.0, and get the tools and guidance you need to better balance your organization's needs for security and functionality.

Direct link: Microsoft Connect
Complete listing of Solution Accelerators