Slides from data MindsConnect 2018 Conference hosted at Ghelamnco Arena in Ghent by Belgian SQL Server USer Grup. SECDev(OPS) How to embrace your security.
3. AGENDA
1 | Security Foundation for DBA/DEV/OPS
2 | Well Known Risks Manuals (ABC)
a| OWASP4WP
b| OWASP4MP
c| SANS/CIS
3 | SQL Server Security Best Practices
4 | Security Day by Day for BDA/DEV/OPS
5 | The Stack For You
6 | Summary
Appendix
7. Categorizing Security - part 1
{IT REALM}
Application security | http://bit.ly/18u8J6p
Computing security | http://bit.ly/1ARdRLd
Data security | http://bit.ly/185wfph
Information security | http://bit.ly/1ARe0ya
Network security | http://bit.ly/1C443R8
8. Categorizing Security - part 2
{PHYSICAL REALM}
Airport security | http://bit.ly/1LPZcCZ
Food security | http://bit.ly/1MYnii6
Home security | http://bit.ly/1Gz3VI1
Infrastructure security | http://bit.ly/1Bm8LIF
Physical security | http://bit.ly/1Gz3VI1
Port security | http://bit.ly/1ARewMH
Supply chain security | http://bit.ly/1Ex7ob7
School security | http://bit.ly/17Dl735
Shopping center security | http://bit.ly/1EUb1FV
9. Categorizing Security - part 3
{POLITICAL REALM}
Homeland security | http://bit.ly/1AAwZhE
Human security | http://bit.ly/1DhojtU
International security | http://bit.ly/1MYoyli
National security | http://bit.ly/1FEnldu
Public security | http://bit.ly/1wqpX9P
10. Categorizing Security - part 4
{MY OPS REALM}
application security computing security
data security information security
network security home security
infrastructure security physical security
national security public security
11. 2 | Well Known Risks Factors (OSSTMM/OWASP/SANS)
12. Security? What is this?
Security is the degree of resistance to, or protection from, harm. It applies to any
vulnerable and valuable asset, such as a person, dwelling, community, nation, or
organization.
As noted by the Institute for Security and Open Methodologies (ISECOM) in the
OSSTMM 3 (Open Source Security Testing Methodology Manual), security provides
"a form of protection where a separation is created between the assets and the
threat." These separations are generically called "controls," and sometimes include
changes to the asset or the threat.
http://www.isecom.org/research/
13. The Open Source Security Testing
Methodology Manual
1 – What You Need to Know
2 – What You Need to Do
3 – Security Analysis
4 – Operational Security Metrics
5 – Trust Analysis
6 – Work Flow
7 - Human Security Testing
8 - Physical Security Testing
9 - Wireless Security Testing
10 - Telecommunications Security Testing
11 - Data Networks Security Testing
12 - Compliance
13 – Reporting with the STAR
14 – What You Get
15 – Open Methodology License
14. The Open Web Application Security
Project
The OWASP Foundation came online on December 1st 2001 it was established as a
not-for-profit charitable organization in the United States on April 21, 2004 to
ensure the ongoing availability and support for our work at OWASP. OWASP is an
international organization and the OWASP Foundation supports OWASP efforts
around the world. OWASP is an open community dedicated to enabling
organizations to conceive, develop, acquire, operate, and maintain applications
that can be trusted.
All of the OWASP tools, documents, forums, and chapters are free and open to
anyone interested in improving application security. We advocate approaching
application security as a people, process, and technology problem because the
most effective approaches to application security include improvements in all of
these areas. We can be found at www.owasp.org.
15. a) Top 10 Application Security Risks
for Web Apps (2013-20xx)
16. Top 10 Application Security Risks
for Web Apps
A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Broken Access Control
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Insufficient Attack Protection
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Underprotected APIs
17. Top 10 Security Risks for Web Apps
Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted
data is sent to an interpreter as part of a command or query. The attacker’s
hostile data can trick the interpreter into executing unintended commands or
accessing data without proper authorization.
A1: Injection
18. Top 10 Security Risks for Web Apps
Application functions related to authentication and session management are often
implemented incorrectly, allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to assume other
users’ identities (temporarily or permanently).
A2: Broken Authentication and Session Management
19. Top 10 Security Risks for Web Apps
XSS flaws occur whenever an application includes untrusted data in a new web
page without proper validation or escaping, or updates an existing web page
with user supplied data using a browser API that can create JavaScript. XSS
allows attackers to execute scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious sites.
A3: Cross-Site Scripting (XSS)
20. Top 10 Security Risks for Web Apps
Restrictions on what authenticated users are allowed to do are not properly
enforced. Attackers can exploit these flaws to access unauthorized functionality
and/or data, such as access other users' accounts, view sensitive files, modify
other users’ data, change access rights, etc.
A4: Broken Access Control
21. Top 10 Security Risks for Web Apps
Good security requires having a secure configuration defined and deployed for the
application, frameworks, application server, web server, database server,
platform, etc. Secure settings should be defined, implemented, and
maintained, as defaults are often insecure. Additionally, software should be
kept up to date.
A5: Security Misconfiguration
22. Top 10 Security Risks for Web Apps
Many web applications and APIs do not properly protect sensitive data, such as
financial, healthcare, and PII. Attackers may steal or modify such weakly
protected data to conduct credit card fraud, identity theft, or other crimes.
Sensitive data deserves extra protection such as encryption at rest or in transit,
as well as special precautions when exchanged with the browser.
A6: Sensitive Data Exposure
23. Top 10 Security Risks for Web Apps
The majority of applications and APIs lack the basic ability to detect, prevent, and
respond to both manual and automated attacks. Attack protection goes far
beyond basic input validation and involves automatically detecting, logging,
responding, and even blocking exploit attempts. Application owners also need
to be able to deploy patches quickly to protect against attacks.
A7: Insufficient Attack Protection
24. Top 10 Security Risks for Web Apps
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request,
including the victim’s session cookie and any other automatically included
authentication information, to a vulnerable web application. Such an attack
allows the attacker to force a victim’s browser to generate requests the
vulnerable application thinks are legitimate requests from the victim.
A8: Cross-Site Request Forgery (CSFR)
25. Top 10 Security Risks for Web Apps
Components, such as libraries, frameworks, and other software modules, run with
the same privileges as the application. If a vulnerable component is exploited,
such an attack can facilitate serious data loss or server takeover. Applications
and APIs using components with known vulnerabilities may undermine
application defenses and enable various attacks and impacts.
A9: Using Components with known Vulnerability
26. Top 10 Security Risks for Web Apps
Modern applications often involve rich client applications and APIs, such as
JavaScript in the browser and mobile apps, that connect to an API of some kind
(SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and
contain numerous vulnerabilities.
A10: Underprotected APIs
27. b) Top 10 Application Security Risks
for Mobile Apps (2016)
28. Top 10 Application Security Risks
for Mobile Apps
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality
29. Top 10 Security Risks for Mobile
Apps
This category covers misuse of a platform feature or failure to use platform security controls.
It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or
some other security control that is part of the mobile operating system. There are several
ways that mobile apps can experience this risk.
M1: Improper Platform Usage
30. Top 10 Security Risks for Mobile
Apps
This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers
insecure data storage and unintended data leakage.
M2: Insecure Data Storage
31. Top 10 Security Risks for Mobile
Apps
This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext
communication of sensitive assets, etc.
M3: Insecure Communication
32. Top 10 Security Risks for Mobile
Apps
This category captures notions of authenticating the end user or bad session management.
This can include:
➢ Failing to identify the user at all when that should be required
➢ Failure to maintain the user's identity when it is required
➢ Weaknesses in session management
M4: Insecure Authentication
33. Top 10 Security Risks for Mobile
Apps
The code applies cryptography to a sensitive information asset. However, the cryptography is
insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3.
Also, if the app fails to use cryptography at all when it should, that probably belongs in M2.
This category is for issues where cryptography was attempted, but it wasn't done correctly.
M5: Insufficeint Cryptography
34. Top 10 Security Risks for Mobile
Apps
This is a category to capture any failures in authorization (e.g., authorization decisions in the
client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device
enrolment, user identification, etc.). If the app does not authenticate users at all in a
situation where it should (e.g., granting anonymous access to some resource or service when
authenticated and authorized access is required), then that is an authentication failure not
an authorization failure.
M6: Insecure Autorization
35. Top 10 Security Risks for Mobile
Apps
This was the "Security Decisions Via Untrusted Inputs", one of our lesser-used categories.
This would be the catch-all for code-level implementation problems in the mobile client.
That's distinct from server-side coding mistakes. This would capture things like buffer
overflows, format string vulnerabilities, and various other code-level mistakes where the
solution is to rewrite some code that's running on the mobile device.
M7: Client Code Quality
36. Top 10 Security Risks for Mobile
Apps
This category covers binary patching, local resource modification, method hooking, method
swizzling, and dynamic memory modification. Once the application is delivered to the mobile
device, the code and data resources are resident there. An attacker can either directly modify
the code, change the contents of memory dynamically, change or replace the system APIs
that the application uses, or modify the application's data and resources. This can provide
the attacker a direct method of subverting the intended use of the software for personal or
monetary gain.
M8: Code Tampering
37. Top 10 Security Risks for Mobile
Apps
This category includes analysis of the final core binary to determine its source code, libraries,
algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary
inspection tools give the attacker insight into the inner workings of the application. This may
be used to exploit other nascent vulnerabilities in the application, as well as revealing
information about back end servers, cryptographic constants and ciphers, and intellectual
property.
M9: Reverse Engineering
38. Top 10 Security Risks for Mobile
Apps
Often, developers include hidden backdoor functionality or other internal development
security controls that are not intended to be released into a production environment. For
example, a developer may accidentally include a password as a comment in a hybrid app.
Another example includes disabling of 2-factor authentication during testing.
M10: Extraneus Funcionality
41. CIS Critical Security Control
1. Inventory of Authorized & Unauthorized Devices:
Actively manage (inventory, track & correct) all hardware devices on the network so that only
authorized devices are given access, and unauthorized & unmanaged devices are found and
prevented from gaining access.
42. CIS Critical Security Control
2. Inventory of Authorized & Unauthorized Software:
Actively manage (inventory, track & correct) all software on the network so that only
authorized software is installed and can execute, and that unauthorized & unmanaged
software is found and prevented from installation or execution.
43. CIS Critical Security Control
3. Secure Configurations for Hardware & Software
on Mobile Devices, Laptops, Workstations, & Servers:
Establish, implement, and actively manage (track, report on, correct) the security
configuration of laptops, servers, workstations using a rigorous configuration management
and change control process in order to prevent attackers from exploiting vulnerable services
and settings.
44. CIS Critical Security Control
4. Continuous Vulnerability Assessment & Remediation:
Continuously acquire, assess, and take action on new information in order to identify
vulnerabilities, remediate, & minimize the window of opportunity for attackers.
45. CIS Critical Security Control
5. Controlled Use of Administrative Privileges:
The processes and tools used to track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on computers, networks, and applications.
46. CIS Critical Security Control
6. Maintenance, Monitoring, & Analysis of Audit Logs:
Collect, manage, and analyze audit logs of events that could help detect, understand, or
recover from an attack.
48. CIS Critical Security Control
7. Email and Web Browser Protections:
Minimize the attack surface and the opportunities for attackers to manipulate human
behavior through their interaction with web browsers & email systems.
49. CIS Critical Security Control
8. Malware Defenses:
Control the installation, spread, and execution of malicious code at multiple points in the
enterprise, while optimizing the use of automation to enable rapid updating of defense, data
gathering, & corrective action.
50. CIS Critical Security Control
9. Limitation and Control of Network Ports, Protocols, and Services:
Manage (track/control/ correct) the ongoing operational use of ports, protocols, and services
on networked devices in order to minimize windows of vulnerability available to attackers.
51. CIS Critical Security Control
10. Data Recovery Capability:
The processes and tools used to properly back up critical information with a proven
methodology for timely recovery of it.
52. CIS Critical Security Control
11. Secure Configurations for Network Devices:
Establish, implement, and actively manage (track, report on, correct) the security
configuration of network infrastructure devices using a rigorous configuration management
and change control process.
53. CIS Critical Security Control
12. Boundary Defense:
Detect/prevent/correct the flow of information transferring networks of different trust levels
with a focus on security-damaging data.
54. CIS Critical Security Control
13. Data Protection:
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated
data, and ensure the privacy and integrity of sensitive information.
55. CIS Critical Security Control
14. Controlled Access Base on the Need to Know:
The processes and tools used to track/control/prevent/correct secure access to critical assets
according to the formal determination of which persons, computers, and applications have a
need and right to access these critical assets based on an approved classification.
56. CIS Critical Security Control
15. Wireless Access Control:
The processes and tools used to track/control/prevent/correct the security use of wireless
local area networks (LANS), access points, and wireless client systems.
57. CIS Critical Security Control
16. Account Monitoring & Control:
Actively manage the life cycle of system and application accounts – their creation, use,
dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
59. CIS Critical Security Control
For all functional roles in the organization, identify the specific knowledge, skills, and abilities
needed to support defense of the enterprise.
17. Security Skills Assessment & Appropriate Training to Fill Gaps
60. CIS Critical Security Control
Manage the security life cycle of all in-house developed and acquired software in order to
prevent, detect, and correct security weaknesses.
18. Application Software Security
61. CIS Critical Security Control
Protect the organization’s information, as well as its reputation, by developing and
implementing and incident response infrastructure for quickly discovering an attack and then
effectively containing the damage, eradicating the attacker’s presence, and restoring the
integrity of the network and systems.
19. Incident Response Management
62. CIS Critical Security Control
Test the overall strength of an organization’s defenses (the technology, the processes, and
the people) by simulating the objectives and actions of an attacker.
20. Penetration Tests & Red Team Exercises
64. SQL Server Security Best
Practices
Efficiency and security have an inverse relationship to one another.
You can have high efficiency or high security, but not both.
Example: `Small Bank Company` tend to favor efficiency over security:
Cost limitations. This is the first and obvious reason. Community banks are fighting a constant battle to
remain competitive. Implementing security in systems adds costs - there is no way around it.
Risk. It's not always a conscious decision for a bank to improve efficiency by sacrificing security.
Sometimes there's a lack of understanding of the risks associated with the systems we deploy.
Personnel limitations. The many-hats syndrome runs rampant in smaller community banks.
Regulatory emphasis. The current regulatory environment stresses controls as they relate to policy and
procedures.
65. SQL Server Security Best
Practices
authentication || use Windows Authentication mode unless legacy application require Mixed
Authentication for backward compatibility
secure sysadmin account || change name of sysadmin account after installation SSMS>Object
Explorer>Logins>Rename (right click) / T-SQL
use complex password || ensure that complex password are used for sa and other sql-server-
specific logins. Think about ENFORCE EXPIRATION & MUST_CHANGE for any new SQL login
use specific logins || use different accounts for different sql-server oriented services
sysadmin membership |carefully choose the membership of sysadmin fixed-server
SECURITY
BEST
PRACTICES
66. SQL Server Security Best
Practices
general administration || use built-in fixed server roles and database roles or create your custom
roles, then apply for specific logins
revoke guest access || disable all guest user access from all user and system databases (excluding
msdb database)
limit public permission || revoke public role access for some extended procedures and check other
store procedures
hardening sql server ports || change default SQL Server port if it’s possible
disable sql server browser || disable SQL Server Browser if it’s possible
secure service accounts || create good plan and make note about service accounts and passwords
SECURITY
BEST
PRACTICES
71. Risk Management for DB
Database security concerns the use of a broad range of information security
controls to protect databases (potentially including the data, the database
applications or stored functions, the database systems, the database servers
and the associated network links) against compromises of their confidentiality,
integrity and availability.
It involves various types or categories of controls, such as technical,
procedural/administrative and physical. Database security is a specialist topic
within the broader realms of computer security, information security and risk
management.
72. Risk Management for DBA
Security risks to database systems include, for example:
× unintended activity or misuse by authorized database users, database
administrators, or network/systems managers, or by unauthorized users or
hackers (e.g. inappropriate access to sensitive data, metadata or functions
within databases, or inappropriate changes to the database programs,
structures or security configurations);
× Malware infections causing incidents such as unauthorized access, leakage or
disclosure of personal or proprietary data, deletion of or damage to the data or
programs, interruption or denial of authorized access to the database, attacks
on other systems and the unanticipated failure of database services;
73. Risk Management for DBA
Security risks to database systems include, for example:
× Overloads, performance constraints and capacity issues resulting in the inability
of authorized users to use databases as intended;
× Physical damage to database servers caused by computer room fires or floods,
overheating, lightning, accidental liquid spills, static discharge, electronic
breakdowns/equipment failures and obsolescence;
× Design flaws and programming bugs in databases and the associated programs
and systems, creating various security vulnerabilities (e.g. unauthorized privilege
escalation ), data loss/corruption, performance degradation etc.;
× Data corruption and/or loss caused by the entry of invalid data or commands,
mistakes in database or system administration processes, sabotage/criminal
damage etc.
74. Cyber Defense
| Practical Risk Analysis and Threat
Modeling
Step 1: Make A List Of What You're Trying To Protect
Step 2: Draw A Diagram And Add Notes
Step 3: Make A List Of Your Adversaries And What They Want
Step 4: Brainstorm Threats From These Adversaries
Step 5: Estimate Probability And Potential Damage (The Overall Risk)
Step 6: Brainstorm Countermeasures And Their Issues
Step 7: Plan, Test, Pilot, Monitor, Troubleshoot and Repeat
75. Conclusion
Even a crude risk analysis and hardening plan is vastly better
than just winging it,
and in many ways a crude plan is better than an overly formal one
if the formal one will never be completed...
or even started
(another case of "the perfect is the enemy of the good").
I hope this seven-step recipe will help you get your own security projects underway!
80. Three Pillars of a Secure Hybrid
Cloud Environment
× Pillar One: risk assessment and management
A definition of the risks that apply to various asset(s), based on their business criticality.
An assessment of the current status of each risk before it’s moved to the cloud. Using this information,
each risk can be accepted, mitigated, transferred or avoided.
An assessment of the risk profile of each asset, assuming it has been moved to the cloud.
× Pillar Two: policy and compliance
Cloud providers need to understand that simply listing compliance certifications isn’t sufficient. In line with
the mantra of transparency explored in the previous point, providers should take a proactive stance to
sharing their security implementations and controls.
Dimension Data often assists clients by providing them with a list of questions
that we believe they should be posing to cloud providers as part of the
evaluation process, to ensure they’re covering all the bases.’
81. Three Pillars of a Secure Hybrid
Cloud Environment
Pillar Three: provider transparency
× Governance: the ability of an organisation to govern and measure enterprise risk
introduced by cloud.
× Legal issues: regulations, and requirements to protect the privacy of data, and the
security of information and computer systems.
× Compliance and audit: maintaining and proving compliance when using the cloud.
× Information management and data security: managing cloud data, and responsibility for
data confidentiality, integrity and availability.
× Portability and interoperability: the ability to move data or services from one provider to
another, or bring them back in-house.
× Business continuity and disaster recovery: operational processes and procedures for
business continuity and disaster recovery.
82. Three Pillars of a Secure Hybrid
Cloud Environment
Pillar Three: provider transparency
× Data centre: evaluating any elements of a provider’s data centre architecture and
operations that could be detrimental to ongoing services.
× Incident response, notification and remediation: adequate incydent detection, response,
notification, and remediation.
× Application security: securing application software running on or developed in the cloud.
× Encryption and key management: identifying proper encryption usage and scalable key
management.
× Identity and access management: assessing an organisation’s readiness to conduct
cloud-based identity, entitlement, and access management.
× Virtualisation: risks associated with multi-tenancy, virtual machine isolation and co-
residence, hypervisor vulnerabilities, etc.
84. Driving DevOps Security
Operations have become increasingly important as the software world
shifts to a more service-oriented approach. Implementing a DevOps
model is an essential move for most software companies to maintain
success. The recent adoption of DevOps has been rapid and widespread
while security best practices have been slow to keep pace. It is clear that
the transformation has helped organizations improve their velocity and
improve their products as they grow.
As cybersecurity risks continue to mount, security best practices must be
included in every team's workflow. By understanding and facilitating the
cultural shift that DevOps requires, you can help your team work faster
and more securely, with sustainable results. Download the book above
to learn everything you need to know to start running DevOps securely
at scale.
https://www.tripwire.com/solutions/devops/devops-book/
85. SANS / CIS Critical Security
Controls
Trusted by security leaders in both the
private and public sector, the CIS Controls:
➢ Leverage the battle-tested expertise of
the global IT community to defeat over
85% of common attacks
➢ Focus on proven best practices, not on
any one vendor’s solution
➢ Offer the perfect on-ramp to execute
compliance programs with mappings to
PCI, NIST, ISO, and HIPAA
➢ All 20 CIS Controls V7
https://learn.cisecurity.org/20-controls-
download
86. SANS Supports the CIS Critical
Security Controls with Training,
Research and What Works
To support information security practitioners and managers implement the CIS Critical Security Controls,
SANS provide a number of resources and information security courses.
Critical Security Controls Courses
SEC440: Critical Security Controls: Planning, Implementing and Auditing
SEC566: Implementing and Auditing the Critical Security Controls - In-Depth
Security Operations Center Courses
SEC511: Continuous Monitoring and Security Operations
SEC555: SIEM with Tactical Analysis (NEW!)
MGT517: Managing Security Operations: Detection, Response, and Intelligence (NEW!)
Information Security Resources
NewsBites: Bi-weekly email of top news stories with commentary from SANS Editors. View recent editions &
Subscribe
Whitepapers: Research from SANS instructors and masters students. Download the latest papers related to
the Critical Controls
Webcasts: Topical content presented by SANS Instructors, vendors, and leaders in infosec security. View
upcoming webcasts
87. links
× ISECOM (the Institute for Security and Open Methodologies)
http://www.isecom.org/about-us.html
× OSSTMM (Open Source Security Testing Methodology Manual)
http://www.isecom.org/research/osstmm.html
× Library of Resources for Industrial Control System Cyber Security
https://scadahacker.com/library/index.html
× patterns & practices: Cloud Security Approach in a Nutshell
https://technet.microsoft.com/en-us/ff742848.aspx
× Microsoft Azure Trust Center: Security
http://azure.microsoft.com/en-us/support/trust-center/security/
× 10 Things to know about Azure Security
https://technet.microsoft.com/en-us/cloud/gg663906.aspx
× Security Best Practice and Label Security Whitepapers
http://blogs.msdn.com/b/sqlsecurity/archive/2012/03/07/security-best-practice-and-label-security-whitepapers.aspx
88. links
× Hello Secure World
http://www.microsoft.com/click/hellosecureworld/default.mspx
× SQL Server Label Security Toolkit
http://sqlserverlst.codeplex.com/
SQL Server Best Practices Analyzer
× Microsoft Baseline Configuration Analyzer 2.0
http://www.microsoft.com/en-us/download/details.aspx?id=16475
× SQL Server 2005 Best Practices Analyzer (August 2008)
http://www.microsoft.com/en-us/download/details.aspx?id=23864
× Microsoft® SQL Server® 2008 R2 Best Practices Analyzer
http://www.microsoft.com/en-us/download/details.aspx?id=15289
× Microsoft® SQL Server® 2012 Best Practices Analyzer
http://www.microsoft.com/en-us/download/details.aspx?id=29302
89. links
× Microsoft Security Assessment Tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=6D79DF9C-C6D1-4E8F-8000-
0BE72B430212&displaylang=en
× Microsoft Application Verifier
http://www.microsoft.com/downloads/details.aspx?FamilyID=bd02c19c-1250-433c-8c1b-
2619bd93b3a2&DisplayLang=en
× Microsoft Threat Analysis & Modelling Tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-
944703479451&DisplayLang=en
× How To: Protect From SQL Injection in ASP.NET
http://msdn2.microsoft.com/en-us/library/ms998271.aspx
× Securing Your Database Server
http://msdn.microsoft.com/en-us/library/aa302434.aspx
90. links
× Threats and Countermeasures
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspx
× Configure Windows Service Accounts and Permissions
https://msdn.microsoft.com/en-us/library/ms143504.aspx#Network_Service
× Select an Account for the SQL Server Agent Service
https://msdn.microsoft.com/en-us/library/ms191543.aspx
× Server Configuration - Service Accounts
https://msdn.microsoft.com/en-us/library/cc281953.aspx
91. azure resources: security
Azure Security: Technical Insights
Security Best Practices for Developing Azure Solutions
Protecting Data in Azure
Azure Network Security
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
Microsoft Enterprise Cloud Red Teaming
Microsoft Azure Security and Audit Log Management
Security Management in Microsoft Azure
Crypto Services and Data Security in Azure
92. azure resources: security &
privacyBusiness Continuity for Azure
Understanding Security Account Management in Azure
Azure Data Security: Cleansing and Leakage
Scenarios and Solutions Using Azure Active Directory Access Control
Securing and Authenticating a Service Bus Connection
Azure Privacy Overview (PDF)
Azure Privacy Statement
Law Enforcement Request Report
Protecting Data and Privacy in the Cloud
93. azure resources: compliance &
more
Response to Cloud Security Alliance Cloud Controls Matrix (DOC)
Azure HIPAA Implementation Guidance (PDF)
Azure Customer PCI Guide (PDF)
The Microsoft Approach to Cloud Transparency (PDF)
Microsoft Trustworthy Computing
Operational Security for Online Services Overview (PDF)
Data Classification for Cloud Readiness
CISO Perspectives on Data Classification (PDF)
An Introduction to Designing Reliable Cloud Services (PDF)
Deploying Highly Available and Secure Cloud Solutions (PDF)
94. credits
× Yes, 123456 is the most common password, but here’s why that’s misleading
http://arstechnica.com/security/2015/01/yes-123456-is-the-most-common-password-but-heres-why-thats-
misleading/
× CIO’s are Listening, Security is Important…
https://communities.intel.com/community/itpeernetwork/blog/2014/05/20/cio-s-are-listening-security-is-
important
× The Three Pillars of a Secure Hybrid Cloud Environment
http://www.dimensiondata.com/Global/Latest-Thinking/The-Three-Pillars-of-a-Secure-Hybrid-Cloud-
Environment/Pages/Home.aspx