Security Engineering Ramp Up Training

From Guidance Share

Jump to: navigation, search

This case study shows how [patterns & practices security guidance] was used to deliver customized workshops for customers who needed a fast ramp up on integrating security into their software development life cycle (SDLC).

Contents

Scenario

  • Context: Large solution provider’s dev team
  • App Type: Web, Smart Client
  • App Function: Line of Business application.
  • Deployment: Internet/Intranet facing. Distributed N-Tier (web to remote app tier to database)
  • User base: 1000+, bank’s clients and internal users
  • Application Team: 60+ people
  • Platform/Technologies: .Net 1.1/2.0, ASPNET, IIS 6.0, Windows 2003, Authorization Manager, SQL Server 2000/2005

Context and Problem

The development team did not have dedicated security specialists that could lead and promote the topic internally. The team was looking for “official” Microsoft guidance training that included not only a technolgy overview, but also the process integration.

Solution

Using the practices and patterns security materials, including "Threats and Coutermeasures":http://msdn.com/SecNet , "Threat Modeling Web Applications":http://msdn.com/ThreatModeling , "Security Engineering Explained":http://msdn.microsoft.com/library/en-us/dnpag2/html/SecEngExplained.asp and others, we built a patterns & practices Security Engineering Workshop for the above audience. The workshop was 2 full days of intenstive technical materials. The training included the following topics:

  • Security Engineering process and activities
  • Security Architecture and Design inspection
  • Threat Modeling
  • ASPNET and IIS Security Model
  • .Net Security Fundumentals
  • Security Code inspection
  • Security Deployment Inspection
  • Live security penetaration test session [outsourced to a partner that specializes in penetration testing]

Overall the workshops were very successful. Building the workshop was largely a matter of copy pasting the guidelines from patterns & practices to slides, stripping the content and leaving the titles. Running throught the slides was very effective and efficient since it was backed by the actual guidelines refferenced in the end of the slides, so the audience could follow up easly after the intensive sessions.

Results

What was achieved for the instructor and why was this significant?

  • Instructor was faced with the challenge to get on speed the dev team for security techniques and dev practices. No official cource or other resource does not offer such materials.
  • Using p&p materilas it was fast and easy to build customized content that epmhasized the process and the deep security techical development practices

What was achieved for the team/individualts and why was this significant?

  • Team members adopted the common language for security in development in terms of “Security Frame”, got familiar with security models for involved technologies – ASPNET, NET, IIS and others– each member got his own depth of knowledge according to her role in the team.
  • Demonstrations emphasized the modular approach - once one understood the approach dev members navigated the catalog and found exactly what they needed to do the job.
Personal tools