When is the best time to catch security issues with your application? Before you’ve built it of course!

If you’re responsible for an application from a technical design perspective, the last thing you want to have happen is get all the way into the security testing process and find out that there is a major issue with your application and now the whole thing has to be redesigned!

Well, now your job is even easier, thanks to the Microsoft Threat Modeling tool, and the new 2014 version that has just been released recently.

What do the following movies have in common?

• Speed
• Entrapment
• Ocean’s 11

Well I think they were pretty enjoyable movies, and classic 90’s Sandra Bullock and Catherine Zeta Jones were certainly easy on the eye. The key scene in common that I had in mind though is this: Security camera’s being compromised - e.g. the ‘bad guys’ breaking into a camera and then having footage play on a “loop” so that they have their way.

I love VMs - they make life so much easier in many regards all the way from development and spiking new technologies all the way through to being able to provide elastic production solutions.

Of course, they do have their frustrations - such as getting performance right and having the occasional corrupt VM every now and then.

However - let’s consider an issue of security - is it possible to break out of a VM and get direct access to the host? Well, if you’ve been following popular security blogs then you’ll know that yes - it has at least been possible in the past.  How has it been done in the past though? Well, there’s a great paper here. It is slightly old [2009] though it does demonstrate an interesting technique.

Recently I came across an article highlighting how someone had exploited “in game objects” to turn the classic 90’s Super Mario World game into Pong and Snake.. incredible! Essentially the game is susceptible to running arbitrary code.

Here’s a screenshot:

The original article is here and the YouTube video is embedded there also. The video is a bit slow to going, you may want to jump straight to 1min 30 to avoid waiting.

Well it seems that due to the earlier release of SP2013 than many vendors expected, at the moment there is only one anti-virus vendor that supports SharePoint 2013 other than Microsoft - ESET.  ESET’s product also is only Beta - so this isn’t really ideal for production usage just yet.

Microsoft of course have ForeFront Protection for SharePoint 2010 however the whole ForeFront product line has been discontinued, so you cannot buy it.  If you have an Enterprise Agreement, and want to get it - perhaps speak with your Microsoft Account Manager and they may be able to help you out, depending on your agreement and when you speak with them.  If you do already have it, you’ll be supported until 31st December 2015 and receive anti-virus definition updates until then. From that point onward, you’ll need to migrate to another product. This was flagged by Spencer Harbar here.