Re: Foundstone Hacme Books and .NET Security Toolkit

[<dotnetdeveloper () hushmail com>]

Nice. Another nice approach of an HTTP Module versus a proxy is 
that you can re-write stuff in the fly. OWASP Bad crypto as an 
example. Trap the CAPI calls made by a bad app and replace the 
crypto with a better version. Nice ! Smart thinking, good R&D. 
> -----Original Message-----
> From: Mark Curphey [mailto:mark () curphey com] 
> Sent: Tuesday, March 08, 2005 12:08 PM
> To: webappsec () securityfocus com
> Subject: Foundstone Hacme Books and .NET Security Toolkit
>
> Just to let you know we have released some more free tools this 
> morning.
>
> Hacme Books is a full Java bookstore similar to Hacme Bank but 
> this time
> built like a real application. Full source code will be available 
> (released
> next week) and all code includes unit tests etc. It's not a 
> vanilla JSP type
> app that are so often used when demonstrating security. It follows 
> an MVC
> with an Inversion of Control design pattern. You can get the 
> solution guide
> in PDF with screen shots here;
>
> http://www.foundstone.com/resources/whitepapers/hacmebooks_userguid
> e.pdf
>
> We will be integrating this with the Hacme Bank V2 (using web 
> services) at
> some point soon. Hacme Books was written by Dave Raphael this 
> lists
> moderator.
>
> We also released part of the Foundstone S3i .NET Security Toolkit. 
> The two
> components this week are the Validator.NET and the Visio SecureUML 
> template.
>
>
> Validator.NET is a proof of concept tool to explore better ways to 
> do
> validation than the HTTP proxy approach (aka web app firewall) for 
> apps
> where you can't modify the code. It provides a GUI to point to an 
> assembly
> and uses the reflection API to determine the web controls and 
> subsequent
> forms. It then provides a GUI to build contextual validation rules 
> that can
> be saved as an XML rules file. We then provide an HTTP module to 
> load the
> rules into. It is proof of concept and is not a production ready 
> tool. It
> doesn't look at cookies and other key things for instance. 
>
> "The Foundstone Validator.NET tool is an important resource for 
> malicious
> input testing for ASP.NET Web applications," said Michael Howard, 
> senior
> security program manager at Microsoft Corp., and co-author of 
> Writing Secure
> Code.  
>
> http://www.foundstone.com/resources/termsofuse.htm?file=validator.z
> ip
>
> SecureUML is a Visio template to do SecureUML Roles Bases Access 
> Control
> Modeling. The whitepaper that comes with the tool has some 
> examples. 
>
> http://www.foundstone.com/resources/termsofuse.htm?file=secureuml.z
> ip
>
> Next week well add to the toolkit the .NET Mon which is to the 
> .NET CLR what
> filemon or regmon is to windows. This tool is very powerful for 
> code reviews
> watching the CLR to see how it really enforces the security 
> restrictions. 
>
> We have a few more coming in the next few weeks, one to do cookie 
> analysis
> using 2nd order phase state analysis and a web services version of 
> a fuzzer
> like SPIKE.
>
> Enjoy.



Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427