RSS Feed (xml)
What is the Microsoft Developer's Security Resource Kit?
The Microsoft Developer Security Resource Kit is a single resource that provides security-related development guidance. Its contents include best practices, how-to guides, code samples and sample applications, training, and white papers on security topics. This must-have DVD is available free for a limited time — you pay only a small shipping & handling charge. The resource kit is proof that developing more secure applications is easier than you thought, and with this free offer, there is no better time to order your own copy.
What kind of tools are included with the Resource Kit?
Tools available on the resource kit include training, code samples and sample applications, how-to guides, security best practices, and development checklists. It also includes an index of tools developers can use to analyze code for security flaws, detect errors, and test for compatibility issues. The resource kit brings all this essential content together in once place so it's at your fingertips.
Who needs a copy of it?
Every Microsoft developer needs a copy of the resource kit. The Microsoft Developer Security Resource Kit makes it easier to develop more secure applications by putting a wealth of information at your fingertips. The resource kit is essential to developers to get up to speed on the latest security best practices and learn how to incorporate these best practices into their code. For developers who are already familiar with many security best practices, the resource kit also includes numerous useful code samples and sample applications, and access to free tools developers can use to analyze their code.
What, inside the Resource Kit, is of use directly to SQL Server 2000 and SQL Server 2005 developers? How can this be applied to them?
The guidance for SQL developers is relevant to both users of SQL Server 2000 as well as SQL Server 2005. While, the Security Resource Kit does not go into specific security features of SQL Server 2005, it does provide a link for users to order an evaluation copy for just shipping and handling to explore it on their own and compare.
What are the biggest security threats to SQL Server 2000 and SQL Server 2005?
I don't have any specific information on this. Listings for threats and vulnerabilities for Microsoft products can be found on any number of security research and statistics websites such as www.secunia.com.
Which is the bigger security problem, and why: the code written to access SQL Server or SQL Server itself?
A platform is only as secure as the applications that are written upon it. This is true for all platform providers. Microsoft recognizes the importance of educating our customers and everyone on how to write more secure applications using these best practices and how to leverage the tools and technologies Microsoft has created to help them do this.
What are some of the best practices that SQL Server developers can follow to enhance the security of their application?
The resource kit provides several training modules on protecting and defending your SQL database, numerous SQL Server how-to guides, and a useful tool for executing SQL queries. Specifics include techniques on input validation from the application layer, to use of stored procedures and parameters in their SQL calls rather than allowing free form SQL query access.
What features in SQL Server 2005 have been added to help enhance security from a developer's perspective?
Here's an excerpt from the "What's new in SQL Server 2005" website that helps to answer this question.
Security
SQL Server 2005 makes significant enhancements to the security model of the database platform, with the intention of providing more precise and flexible control to enable tighter security of the data. A considerable investment has been made in a number of features to provide a high level of security for your enterprise data including the following:
- Enforcing policies for SQL Server login passwords in the authentication space.
- Providing for more granularity in terms of specifying permissions at various scopes in the authorization space.
- Allowing for the separation of owners and schemas in the security management space.
Authorization
A new security model in SQL Server 2005 allows administrators to manage permissions at a granular level and at a designated scope, making management of permissions easier as well as ensuring that the principle of least privileges is upheld. SQL Server 2005 lets you specify a context under which statements in a module execute. This feature also acts as an excellent mechanism for granular permission management.
Authentication
SQL Server 2005 clustering supports Kerberos authentication against a SQL Server 2005 virtual server. Administrators can specify Microsoft Windows-style policies on standard logins so that a consistent policy is applied across all accounts in the domain.
Native Encryption
SQL Server 2005 supports encryption capabilities within the database itself, fully integrated with a key management infrastructure. By default, client/server communications are encrypted. To centralize security assurance, server policy can be defined to reject unencrypted communications.
SQL Server and Trustworthy Computing
The Microsoft Trustworthy Computing initiative outlines a framework that defines the steps necessary to support more secure computing as well as measures that help you deploy and maintain a more secure environment. These steps help to protect the confidentiality, integrity, and availability of data and systems at every phase of the software life cycle — from design, to delivery, to maintenance. To uphold the four tenets of the Trustworthy Computing initiative, Microsoft and the SQL Server team have addressed the following issues:
- Secure by design. The SQL Server development team conducted multiple security audits and spent more than two months studying SQL Server components and the interaction between them. For each potential security threat, the team did a threat analysis to evaluate the issue and completed additional design and testing work to neutralize potential security issues. Because of these design efforts, SQL Server 2005 includes many new server security features.
- Secure by default. Upon installation, SQL Server 2005 chooses the right set of configuration values for all setup options, ensuring that when a new system is installed, it will be in a secure state by default.
- Secure in deployment. Microsoft has created content to help organizations deploy SQL Server using the proper security credentials and to fully understand the steps and permissions required. SQL Server deployment tools provide the information necessary to understand the decisions you need to make during deployment. Security updates are easy to find and install — and if you choose the option, the updates install automatically. Tools are also available to help you assess and manage security risks across organizations.
How does one get a copy of the Microsoft Developer's Security Resource Kit?
To order a copy of the resource kit, click the following link and follow the simple steps to get your own resource kit.
http://go.microsoft.com/fwlink/?LinkId=62744
The Microsoft Developer Security Resource Kit is available free for a limited time. Users pay only a small shipping & handling charge
No comments:
Post a Comment