Something I was waiting for but nearly missed: Michael Willers has announced the security analysis on Windows Communication Foundation he and his collegues did for the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI).
I had the luck to hear Michael talk about this stuff last october. There where two interesting points in his talk:
- He took us through some threat modelling. That may be intersting from a security point of view but what impressed me more was that this was the most sound and structured architecture review I ever saw.
- Michael emphasised the fact that developing a secure application was only the first part of the deal. Deploying it — or more to the point secure deployment — turned out to be a challenge of its own. Consequently the statement on his blog:
“The results of this study demonstrates how to implement and securely deploy service oriented distributed systems on the Microsoft .NET Platform. “
Documentation and code (under GPL) can be obtained at the BSI site:
“Beside the complete source code of the WCF reference application the BSI distributes manuals covering WCF specific architecture aspects, authentication, data access, development autonomy, distributed error handling, the hosting environment, transport security, securing resources, and secure service set-up and installation.”
It’s definitely worth a closer look.
UPDATE: Microsoft has provided some of the results as templates and libaries for download. See here (Michael’s announcement) and on the MSDN CAS Tools & Best Practices site (both in German, sorry, but the downloadable content should be in english).
PS: The BSI is “the central IT security service provider for the German Government.” (http://www.bsi.bund.de/english/index.htm)
PPS: The usage of voting machines for elections in Germany does not seem to require IT security 👿 , therefore they are checked and certified by the “Physikalisch-Technische Bundesanstalt, PTB“.
“The Physikalisch-Technische Bundesanstalt (PTB) is the national metrology institute providing scientific and technical services. PTB measures with the highest accuracy and reliability – metrology as the core competence.” (http://www.ptb.de/en/zieleaufgaben/dieptb.html).