Over the past few months, I've been trying to lead an effort within the .NET team to make threat models and other security design documents publicly available to our consumers. This is a non-trivial amount of work since it involves getting the data into a format appropriate for external consumption, re-reviewing the docs in the context of other .NET ecosystem efforts, and getting publication signoff from multiple teams. 1/
=> More informations about this toot | More toots from GrabYourPitchforks@infosec.exchange
But I am happy to say we're making some significant progress here! Just a few minutes ago I submitted a PR with threat models / security designs for some commonly-used building blocks within the .NET ecosystem:
2/
=> More informations about this toot | More toots from GrabYourPitchforks@infosec.exchange
Publishing these documents helps our consumers better use our components in a reliable and secure manner. It gives people confidence in the safety of our code base and our review process. And it gives a minor glimpse into .NET security team operations, including the pitfalls we try to be mindful of during API design processes.
Enjoy!
3/FIN
=> More informations about this toot | More toots from GrabYourPitchforks@infosec.exchange
@GrabYourPitchforks
@bot boost this
=> More informations about this toot | More toots from SmartmanApps@dotnet.social This content has been proxied by September (3851b).Proxy Information
text/gemini