Designing Security Achitecture and Implementation (17%)
Plan for operational security
This objetive may include but is not limited to: approaches for process; and resource-level security, including local and remote resources; Code-Access Security (CAS), including trust level, process identity, application pool, and identity tag.
Approaches for process
Resource-level security
Code-Access Security (CAS)
http://en.wikipedia.org/wiki/Code_Access_Security
http://msdn.microsoft.com/en-us/library/930b76w0.aspx
Important!! Security changes in .Net 4
http://msdn.microsoft.com/en-us/library/dd233103(VS.100).aspx
Design and authentication and authorization model
This objetive may include but is not limited to: authentication providers, including WindowsForms, and custom user identity flowthrough (for example, trusted subsystem), role management, membership providers, URL authorization (for example, AuthorizationAttribute), file authorization, Authorization Manager (AzMan)
Authentication providers
http://msdn.microsoft.com/en-us/library/9wff0kyh(VS.100).aspx
Role management
http://msdn.microsoft.com/en-us/library/5k850zwb(VS.100).aspx
Membership provider
http://msdn.microsoft.com/en-us/library/tw292whz(VS.100).aspx
URL Athorization
http://msdn.microsoft.com/en-us/library/wce3kxhd(VS.100).aspx
AzMan
http://msdn.microsoft.com/en-us/library/ms998336.aspx
Plan for minimizing attack surfaces
This objetive may include but is not limited to: input validation, throttling inputs, request filtering, where to use Secure Sockets Layer (SSL)
Input validation (buscar material mas moderno)
http://msdn.microsoft.com/en-us/library/ms972961.aspx
Throttling inputs
Request filtering
http://msdn.microsoft.com/en-us/library/system.web.httprequest.filter(VS.100).aspx
Entradas
0 comentarios: