There's a LOT More to Building Security Software than Software Security

  • Article

Mark Curphey here.....

I often get asked exactly what I do for a living at Microsoft. Many people associate my name with OWASP, my personal blog and software security in general. When I say I am a PUM (Product Unit Manager)  and run a team that builds security tools most people understandably assume that we are only focused on software security or application security tools (preventing vulnerabilities or attacks). Part of this of course maybe because the current blogger's on this blog are the Anti-XSS development team! Given we build technology to support the corporate security program the remit is actually pretty wide and software security tools like Anti-XSS and the Threat Modelling tools make up a relatively small part of the portfolio.  In the coming weeks we will start  to discuss some of the security management tools we are going to be working but I wanted to highlight some of the Microsoft technology we are either using or considering using. Many people forget the sheer range of technology we have available to build feature rich security management applications.

.NET WCF - Windows Communication Foundation - Rich set of API's for building connected systems (think SOA).  It includes the ability to build services that talk WS-Security and can do XML digital signatures etc.

.NET WWF - Windows Workflow Foundation - An awesome business process management suite of technologies including process design tools, process execution engines, business rules engines and business activity monitoring technology. If you think BPM is just workflow I encourage you to look hard at BPM technologies. We think BPM will revolutionize the way people manage information security in the future.

BizTalk - Is an integration technology for building SOA's. It includes some BPM capability.

Performance Point - Performance Point is a data analytics and Business Intelligence server. Basically you can pull in data, crunch it and produce reporting (including dashboards). It supports interesting methodologies such as Balanced Score Cards.

CardSpace - InfoCards that can be extended.

Zermatt - new claims based ID management framework that can be used to build claims based authentication and authorization systems. Combine with CardSpace and SmartCards and .......

Codeplex - It's worth noting that there is a great deal of excellent code out on CodePlex such as the Enterprise Library and the Enterprise Services Bus.

Then consider things like ADFS, SharePoint, SQL 2008 (full encryption of the DB on the fly) and its a rich set of technology on which to build applications.

Next week I will walk you through a proof of concept we recently built to explore how some of this technology could be applied to the application security assessment space.