Last week I was in London enjoying Dominick Baier's .NET 2.0 Security course. It was really an eye-opener.
Dominick is a very passionate, paranoid Developmentor instructor, so if you ever get the chance ....
Btw pickup a hardcopy around November.
Security is not just something you apply at the end of a project, you need to design and plan for security. You need to get into that mindset at the very beginning of every software project.
Security was never of great concerns on all the projects i have been involved with...it was just something you brute forced into your software at the very last minute, guarantied to break your design.
I am currently working on a project now that does just about everything wrong when it comes to security, currently it's out of my hands (blame it on politics, ignorance and deadlines). It's frustrating to watch this, but I guess reality bites the project soon, so bring your rain coat and fire hose ;-).
If you need to model and analyze threats, Microsoft actually made a descent job with this tool here.
Currently reading "Secrets and Lies".
"If you know the enemy and know yourself, you need not fear the result of a hundred battles."
-- Sun Tzu The Art of War
