Contents
Overview 1
Lesson: A Design Process for Building
Secure Web Applications 2
Review 22

Module 2: Planning for
Web Application
Security

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.


Developing Secure Web Applications.
After completing this module, students will be able to describe the general
approach to designing security into a Web application and categorize and
identify the most common types of attacks, along with the potential threats that
the attacks pose to systems, services, and data within their organizations.
To teach this module, you need the following materials:
!
Microsoft
®
PowerPoint
®
file 2300A_02.ppt
!
A white board or flip chart

To prepare for this module:
!
Read all of the materials for this module.
!
Complete the practices.
!
Read about the application design process in the Microsoft Solutions
Framework (MSF).
!
Read Chapter 2, “A Process for Building Secure Web Applications,” in
Designing Secure Web-Based Applications for Microsoft Windows 2000, by
Michael Howard (Redmond: Microsoft Press
®
), 2000.
!

Lesson: A Design Process for Building Secure Web Applications
This lesson covers only part of the design process, namely the threat analysis
process. This lesson does not cover how to determine business and information
requirements. It is assumed that students already know how to determine
business and information requirements and create a functional specification for
a Web application.
It is important to start this lesson with a discussion of why this information is
important for Web developers to know. Some Web developers are not involved
in the Web application design process within their organizations and they might
feel that knowing the complete process is irrelevant to their jobs.
The business and product requirements, along with the information requirement
steps in the design process, have been intentionally minimized in this lesson.
Although it is important for students to understand the outcomes of these steps
(the architectural diagram and the design specification), it is not necessary to
discuss these steps in detail.
Define the term threat and briefly mention the three steps that are taken when
determining threats. These steps are discussed in more detail in the topics that
follow within this module.
Suggest to students that they hire a security consultant to help identify threats
and then try to hack into the system after the security services have been
developed.
Review each category of assets, placing emphasis on the assets that are in a
Web application: software, data, and communications.
In this practice, students will have an opportunity to identify the assets that
require protection in the Tailspin Toys lab solution. The result of this practice is
to encourage students to think of the assets in their own Web applications that
might be susceptible to attack.
Run this practice as a group brainstorming session, and write the results on a
white board or flip chart. This information will be referred to in the next
practice.

threat that was identified in the previous practice. For this practice, students will
use a numeric rating system for both the probability and impact. Let the
students know that this is a very subjective exercise.
Run this practice as a group brainstorming session. Refer to the results of the
second practice and write the results of this practice on the same white board or
flip chart.
Although threat prioritization is important, the security policy ultimately
determines whether the threat will be defended against, assigned, or accepted.
An important point to make is that even though a threat may have a low
exposure ranking, security policy may dictate that the threat be defended
against at all costs.
It is not necessary to discuss in great detail the security technologies that are
listed in the table. Explain to students that they will learn more about
countermeasures and technologies throughout the rest of the course.
Security implementation from the developer standpoint is the focus of this
course. Review with students the general areas of security that will be discussed
throughout the course.
It is important that students understand that maintaining a secure Web
application is an iterative process. The security plan must be reviewed often so
that new threats and security policies are considered and then addressed
accordingly.
Calculating Exposure
and Prioritizing Threats
Practice: Calculating
Exposure and
Prioritizing Threats
Using the Security
Policy to Evaluate
Threats
Selecting Security

each of these steps, and finally, learn how these steps interrelate. You will then
focus on the threat analysis step in the design process by identifying Web-
accessible assets and the threats that are posed to those assets, calculating the
exposure of those assets, and developing an implementation and maintenance
plan for securing your Web application.
After completing this module, you will be able to describe the general approach
to designing security into a Web application and categorize and identify the
most common types of attacks, along with the potential threats that those
attacks pose to systems, services, and data within your organization.
Introduction
Objective
2 Module 2: Planning for Web Application Security Lesson: A Design Process for Building Secure Web
Applications
Business and Product
Requirements
Business and Product
Requirements
Information
Requirements
Information
Requirements
Threats
Threats
Security Policy
Security Policy
Security Technology
Security Technology

approaches that are used to safeguard against those threats.
Introduction
Module 2: Planning for Web Application Security 3 After completing this lesson, you will be able to:
!
Explain the process of identifying threats and evaluating the risks that those
threats pose to your organization’s Web applications.
!
Identify the assets in a Web application that are vulnerable to security
threats.
!
Identify the categories of attacks that typically affect each asset in a Web
application.
!
Prioritize threats by determining the monetary cost to counter each threat
and comparing that cost to the cost of the asset that the countermeasure will
protect.
!
Explain how the identified threats are evaluated against an organization’s
overall security policy.
!
Explain how security services are designed to use security technologies.
!
Explain the process of developing a security maintenance and upgrade plan.

Lesson objectives
4 Module 2: Planning for Web Application Security


" Identify the threats to assets
" Calculate exposure and
prioritize threats

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
An architectural diagram and a design specification are the result of gathering
business, product, and information requirements for a Web application. After
you gather business, product, and information requirements for a Web
application, the next step in the design process is to determine the security
threats to your Web application.
A threat is a possibility that poses danger to business assets. All threats are
determined in relation to a business risk. The greater the business risk—that is,
the greater the negative impact on the business if the threat is realized—the
greater the threat.
Each organization faces its own unique set of threats. For example:
!
A bank wants to protect its money.
!
A hospital wants to protect patient records.
!
A software development company wants to protect its source code.

Adding a Web presence, such as a Web site, exposes these organizations to
even more threats and risk. For example, Web pages can be compromised and
changed, the database that is accessed by the Web site can be altered or
destroyed, unauthorized users could gain access to the file system, and any data

ILLEGAL FOR NON
-
TRAINER USE
******************************
The first step in analyzing the threats to a Web application is to identify the
assets in your design specification that are vulnerable to attack. Every
organization has many assets that must be protected from potential attacks.
These assets include:
!
Hardware. Includes CPUs, keyboards, terminals, workstations, personal
computers, printers, disk drives, communication lines, terminal servers, and
routers.
!
Software. Includes source programs (including COM+ objects, scripts, and
assemblies), utilities, diagnostic programs, operating systems, and
communication programs.
!
Data. Includes data that is created during Web application execution, data
that is stored online, and data that is archived offline, along with backup
data, audit logs, databases, passwords, and Web application configuration
data.
!
Communications. Includes Web client connections, Microsoft
®

SQL Server
™
connections, remote procedure calls (RPCs), Microsoft .NET
service invocations, and data that is in transit over a communication
medium.