Module 2: Planning for Web Application Security

This module explains the steps that are typically involved in the Webapplication design process, what role security considerations play in each ofthese steps, and finally, how these steps interrelate with one another. In thismodule, students will focus on the threat analysis step in the design process byidentifying Web-accessible assets and the threats that are posed to those assets,and by calculating the exposure of those assets to those threats. Finally, studentswill learn about developing an implementation and maintenance plan forsecuring Web applications....
Nội dung trích xuất từ tài liệu:
Module 2: Planning for Web Application Security Module 2: Planning for Web Application SecurityContentsOverview 1Lesson: A Design Process for BuildingSecure Web Applications 2Review 22Information in this document, including URL and other Internet Web site references, is subject tochange without notice. Unless otherwise noted, the example companies, organizations, products,domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,and no association with any real company, organization, product, domain name, e-mail address,logo, person, place or event is intended or should be inferred. Complying with all applicablecopyright laws is the responsibility of the user. Without limiting the rights under copyright, nopart of this document may be reproduced, stored in or introduced into a retrieval system, ortransmitted in any form or by any means (electronic, mechanical, photocopying, recording, orotherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from Microsoft, the furnishing of this document does not give you anylicense to these patents, trademarks, copyrights, or other intellectual property.. 2002 Microsoft Corporation. All rights reserved.Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail,JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, andWindows Media are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of theirrespective owners. Module 2: Planning for Web Application Security iiiInstructor NotesPresentation: This module explains the steps that are typically involved in the Web60 minutes application design process, what role security considerations play in each of these steps, and finally, how these steps interrelate with one another. In thisLab: module, students will focus on the threat analysis step in the design process by00 minutes identifying Web-accessible assets and the threats that are posed to those assets, and by calculating the exposure of those assets to those threats. Finally, students will learn about developing an implementation and maintenance plan for securing Web applications. In this module, students will learn how to apply the STRIDE threat model that was covered in Module 1, “Introduction to Web Security,” in Course 2300, Developing Secure Web Applications. After completing this module, students will be able to describe the general approach to designing security into a Web application and categorize and identify the most common types of attacks, along with the potential threats that the attacks pose to systems, services, and data within their organizations.Required materials To teach this module, you need the following materials: ! Microsoft® PowerPoint® file 2300A_02.ppt ! A white board or flip chartPreparation tasks To prepare for this module: ! Read all of the materials for this module. ! Complete the practices. ! Read about the application design process in the Microsoft Solutions Framework (MSF). ! Read Chapter 2, “A Process for Building Secure Web Applications,” in Designing Secure Web-Based Applications for Microsoft Windows 2000, by Michael Howard (Redmond: Microsoft Press®), 2000. ! Read the TechNet article, “Best Practices for Enterprise Security,” which is available at http://www.microsoft.com/technet/security/bestprac/ bpentsec.asp. ! Review Microsoft’s security policies, which are available at http://www.microsoft.com/technet/security/policy/policies.asp. ! Read about the STRIDE threat model in Module 1, “Introduction to Web Security,” in Course 2300, Developing Secure Web Applications, and ...