The process of threat modeling is built on a simple principle: To build a feasibly secure system, one must understand all the threats in that system. The challenge, however, is in making threat modeling more accessible to non-specialists. Microsoft has developed a process through which minimal input can produce a feature-rich threat model that identifies a wide range of critical information including contextual threats, trust boundaries, fracture points, attack surfaces, and direct and transitive access control. This podcast describes and demonstrates this threat modeling process, outlines its benefits, and shows how threat modeling fits into the Microsoft Security Development Lifecycle.

Download & Listen

Six labs, both available in C# and VB.NET. Download (nuff said)

From the download page: The Microsoft Consolas Font Family is a set of highly legible fonts designed for ClearType. It is intended for use in programming environments and other circumstances where a monospaced font is specified. This installation package will set the default font for Visual Studio to Consolas.

To give you an idea how this Consolas looks like in VS I have created a before / after screenshot comparison - here is the "before" screenshot:

And this is how it looks after installation of the Consolas font pack:

Found this on Alex' blog (he posted it in German last week): Microsoft UK has released a document (PDF) titled "The Developer Highway Code" (The drive for safer coding), which covers the following topics:

• Integrating Security into the Lifecycle
• Security Objectives
• Web Application Security Design Guidelines 
• Threat Modelling
• Security Architecture and Design
• Security Code Review
• Security Deployment Review

The document covers v1 and v2 of the .NET Framework, and it does contain useful checklists. Be sure to grab it!

Back from holidays, catching up with news, I stumbled across the article New Microsoft browser raises Google's hackles. IE7 Beta 2 was released last week, and because it sported an x64 version I installed it yesterday. And immediately tried the search box that Google is complaining about loudly. Guess what - I had it changed to Google (my personal favorite search engine) in seconds (even making it the default search provider):

The UI wasn't all that unfamiliar at all, let's take a look at Firefox (my personal favorite browser):

Note that these are the default out of the box search providers as defined by Firefox, and there is no MSN in there by default at all. But you can add it if you want (just for laughs, check out IE7's as well as Firefox's add engines/providers pages, they look very, very similar indeed).

<opinion>
So, does that constitute the claimed "unfair grab of Web traffic?" No, unless you go the whole nine yards and force every single browser vendor on the planet (including "Old Europe") to ship their products with zero preconfigured search providers. And hey, IE7 will be a separate download, so why doesn't Google add a browser product to their portfolio?
</opinion>

Not having wireless access at MS' office in Austria was the last straw - I finally decided to shell out the money for a 3G data card & associated mobile broadband account. The thing that really surprised me: upon ordering, it only took one day for delivery, and most surprising of all - it worked the first time (maybe thanks to the fact that it ships with a crystal-clear one page only "manual"). No more paying through the nose for egregiously expensive WLAN hotspots at hotels!

A friend of mine pointed me to the article The Windows Vista Developer Story: Application Compatibility, Migration, and Interoperability quite some time ago (shame on me for not mentioning it earlier). It is a very useful resource when you have to deal with adapting existing applications for the changes that come with Windows Vista.

Topics of this article include:

• Thirty-Minute Compatibility Check
• Operating System Versioning
• User Account Control
• Windows Resource Protection (WRP)
• Internet Explorer Protected Mode
• Windows Vista 64-bit
• Microsoft Graphical Identification and Authentication (GINA)
• Session 0 Isolation
• Networking: TCP/IP Stack and the Windows Filtering Platform
• Networking: Kernel Mode IP Helper APIs
• Networking: IPv6
• Compatibility Risks

If you ever consider using NGen with your .NET applications, then you simply MUST read the article The Performance Benefits of NGen in the current issue of MSDN Magazine. It can't get any more authoritative than that (the author Surupa Biswas works on the runtime's back-end compiler and focuses primarily on pre-compilation technologies).

During the MVP Open Day in Munich last week (Friday & Saturday), we had a presentation by Talhah Mir (ACE Team, Threat Modeling blogs) on threat modeling - which (I hope) everyone is familiar by now. During the talk, he pointed us to an interesting resource: A Chronology of Data Breaches from the Privacy Rights Clearinghouse. Quite an interesting list of incidents, which gives you an idea of the ratio of actual hacking vs dishonest insider, as well as other types of security breaches.

There is one feature coming with IIS 7 (http.sys, as such it is more an OS feature) that I have been waiting for a long time: being able to see what's in the kernel cache! The key to this new supercool feature is the netsh command:

C:\Users\Administrator>netsh http show cachestate ?

Usage: show cachestate [[url=]<string>]

Parameters:

    Tag       Value
    url   -   Fully qualified URL. If unspecified, implies all
              URLs. The URL could also be a prefix to registered URLs

Remarks: This command lists all resources and their associated properties
         that are cached in HTTP response cache or displays a single
         resource and its associated properties.

Examples:
      show cachestate url=http://www.myhost.com:80/myresource
      show cachestate

Some information can be obtained in the article New Networking Features in Windows Server "Longhorn" and Windows Vista (you can even flush the cache), and here is how it works if you browse to the default Web site of IIS 7:

C:\Users\Administrator>netsh http show cachestate http://localhost

Snapshot of HTTP response cache:
--------------------------------

URL: http://localhost:80/pagerror.gif
    Status code: 200
    HTTP verb: GET
    Cache policy type: User invalidates
    Creation time: 2006.3.21:23.30.16:0
    Request queue name: DefaultAppPool
    Headers length: 187
    Content length: 2806
    Hit count: 1
    Force disconnect after serving: FALSE

URL: http://localhost:80/iisstart.htm
    Status code: 200
    HTTP verb: GET
    Cache policy type: User invalidates
    Creation time: 2006.3.21:23.30.14:0
    Request queue name: DefaultAppPool
    Headers length: 233
    Content length: 774
    Hit count: 1
    Force disconnect after serving: FALSE

Tracking caching behavior will be so much easier.