Browse by Tags

Tagged Content List
  • Blog Post: Simple Rules To Stop Bad Guys

    Hi, RockyH here, I was browsing for IT security news from the hotel this evening and came across this gem: That’s it. Of course there is no information about who to email, and why should their be. If they can’t figure out how to tell the difference between malicious traffic and real traffic...
  • Blog Post: Video Series: ACE Security Consultants from the Field

    Kicking off our video series, ‘ ACE Security Consultants from the Field, ’ Talhah Mir from Microsoft Information Security , talks to two passionate individuals about security. Watch the podcast, “ ACE from the Field: Carric 'DEFCON Goon' Dooley ,” as Carric Dooley, Senior Security Consultant from...
  • Blog Post: Blog Series: Get Familiar with the SDL-LOB (Security Development Lifecycle for Line-Of-Business Applications) Process

    Hello, Anmol Malhotra here. I’m a Senior Security Engineer with ACE Team, a part of Microsoft IT Information Security group. I’d like to introduce you to the Security Development Lifecycle for Line-of-Business Applications (SDL-LOB) process. As part of our continued commitment towards sharing security...
  • Blog Post: TechNet Webcast: Configuring with Least Privilege in SQL Server 2008 (Level 300)

    TechNet Webcast : Configuring with Least Privilege in SQL Server 2008 (Level 300) Tuesday, June 02, 2009 8:00 AM Pacific Time (US & Canada) Presenter: Varun Sharma, Security Engineer, Microsoft Corporation Overview : With SQL injection attacks on the rise, it is imperative to configure...
  • Blog Post: TechNet Webcast: Fundamentals of Third-Party Security Management (Level 300)

    TechNet Webcast : Fundamentals of Third-Party Security Management (Level 300) Monday, June 01, 2009 10:00 AM Pacific Time (US & Canada) Presenter : Gerard Morisseau, Senior Program Manager, Microsoft Corporation Overview: In this webcast, learn the fundamentals for building a vendor security...
  • Blog Post: Infrastructure Security Design Review

    Hello Everyone! My name is Shawn Rabourn and I am a Senior Security Consultant with ACE (Assessment, Consulting and Engineering) Services, a part Microsoft IT's Information Security (InfoSec) group. Sounds like a mouthful, I know. Really, that is just my title. I have a unique position within Microsoft...
  • Blog Post: ACE Infrastructure Security Services: An Overview

    This is Rob Cooper, Senior Engineer for ACE Infrastructure (also known internally as ICE for you William Gibson fans). Thanks to Irfan Chaudhry, Director of the ACE Team, for giving us a good overview and history of ACE and how ACE’s role has expanded over the years. I’m with ACE Infrastructure (also...
  • Blog Post: Security as a Service: A Balancing Act

    When I first joined Microsoft IT, I was intrigued by the concept of offering security assessment as an optional service to the business. I was even more surprised to see how enthusiastically the business had embraced the concept. You see, like many security professionals, I came from an organization...
  • Blog Post: About ACE’s Information Security Assessment Service - Your Friendly Neighborhood Security Auditor

    This is Gerard Morisseau, Senior Program Manager for ACE’s Information Security Assessment Services (ISAS). ISAS offers several security assessment services aimed at helping Microsoft IT and the business assess their information security risks, improve controls environment, and strengthen their information...
  • Blog Post: Shrinking Budgets: Application Security Tools vs Process Tradeoff

    An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version of the Alok that I know. He had just been handed...
  • Blog Post: About ACE’s Infrastructure Security Team

    Hi, my name is Brad Gobble and I manage ACE ’s Infrastructure Security Team, a part Microsoft IT’s Information Security group. Over the next few weeks you’ll hear a lot about our services: what we do, how we do it, how we prepare our team to execute and where we’re going in the future. But before we...
  • Blog Post: Response to InfoSec X Prize Part 1

    So I’ve been quite amazed by the amount of discussion and feedback i have received from colleagues and peers on my original post on creating fundamental change through competition. I will be posting some of the written replies that I received and which people have kindly consented to having me post....
  • Blog Post: Baking Security In: A Comic Strip View of SDL

    So how do you take your average developer who scoffs at security from the careless and brash aka Kevin,  to the poster child  for good development practices aka  Kevlarr. Well, the Microsoft SDL team has the answer for you. Read more… - Akshay
  • Blog Post: Microsoft IT Solutions: Full Drive Encryption using BitLocker

    One of the challenges that I have been focusing my team on this fiscal year has been creating new solutions that leverage the learning that Microsoft IT has had in deploying technology or solving problems. Microsoft IT generally has to deploy new technologies from Microsoft several months before they...
  • Blog Post: Note to Fannie Mae: Dealing with Logic Bombs

    Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So...
  • Blog Post: Vulnerabilities in Web Applications due to improper use of Crypto – Part 3

    Almost all thick client applications need to update themselves. This is the only way to distribute newer functionality and bug fixes. The updated executables are usually downloaded on the client from the company’s servers. In the past, there have been cases where this “updater” functionality has been...
  • Blog Post: Vulnerabilities in Web Applications due to improper use of Crypto – Part 2

    Continuing with my last post on vulnerabilities in web applications due improper use of crypto, lets look at what might happen if you reuse an internal method for encrypting data. Consider a web application that needs to encrypt an application cookie. The developer uses the CookieProtectionHelper...
  • Blog Post: Vulnerabilities in Web Applications due to improper use of Crypto – Part 1

    Cryptography is used often in web applications. Web sites that use cookie based authentication encrypt and sign the authentication cookie. Query strings are sometimes encrypted to prevent manipulation and also to pass sensitive data from one page to another. Form fields may be encrypted and signed to...
  • Blog Post: Meter This: Practical Application Of Power Drain Attack

    Last week while feeding my caffeine addiction I came across an article in the New York Times titled Can’t Find a Parking Spot? Check Smartphone . In order to reduce traffic congestion and fuel consumption, the city of San Francisco is implementing a new system that will help detect empty parking...
  • Blog Post: Security Code Review – String Search Patterns For Finding Vulnerabilities In ASP.NET Web Application

    "The hardest thing of all is to find a black cat in a dark room, especially if there is no cat." – Confucius Security code inspections is sort of searching in the dark. However, security vulnerabilities in many cases* are recurrent anti-patterns that can be identified by well defined set of...
  • Blog Post: Application Security Development Lifecycle 4: Finding the right security talent

    After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, " Great!! Now where do I find another 20 people like these?" (pointing to my team)... I thought about it a while and so Mr. B here is your answer: Information...
  • Blog Post: How Microsoft IT does Secure Application Development: Webcast

    Technorati Tags: Conference , SDLC , SDL , IT , ISV I will be discussing Microsoft IT's approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th. This webcast will be part of the Microsoft's IT...
  • Blog Post: Increase the TCO, kill the project: An ad-hoc analogy

    The other day I was subject to the assertion that the only asset an IT security organizations should care about is data. Now being in the application security business, I should have been jumping at this validation but couldn't. The IT security org needs to understand what threats the business faces...
  • Blog Post: Application Security Development Lifecycle 3: Funding Models

    Now that you've decided (or battled) to set up an application security program you realize that it actually needs to get funded.  You must master the art of delicately drinking from the fire hydrant of line of business applications. In my experience helping organizations set up their application...
  • Blog Post: Front Range web application security summit in Denver

    I will be speaking at the Front Range OWASP Conference (FROCo8) in Denver on June 10th. The focus of the conference to share the experiences that the speakers had around solving technical and management issues surrounding application security. I'll be sharing the podium with luminaries like Ed Bellis...
Page 1 of 3 (51 items) 123