XSSDetect is a static binary analysis tool. In the first step of analysis it reads target binaries to create a directed graph where nodes represent statements while the edges represent flow of data. This graph can get huge for large applications and users...

Just a brief update, Hassan Khan one of the lead developers of XSSDetect and part of our ACE Engineering team has posted up some technical details on how XSSDetect uses data flow analysis to do its magic. You can read more about it here . Feel free to...

One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with...

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/19/asp-net-validaterequest-does-not-mitigate-xss-completely.aspx As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross...

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/19/is-microsoft-office-isolated-conversion-environment-moice-mocha-on-ice.aspx MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team...

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/11/given-enough-eyeballs-all-bugs-are-shallow-true-or-false.aspx "Given enough eyeballs all bugs are shallow." I do agree if more right-minded folks look at a piece of code, it would help...

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/10/system-uri-absolutepath-vs-phishing-attack.aspx Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests...

From Eugene Siu's blog ( http://blogs.msdn.com/esiu/archive/2007/10/10/web-service-security-guidance.aspx ): I have just published a Technet article. This is geared for administrators and developers as an introduction to web service security. It contains...

Mark joined ACE as of Oct. 1st and we're very glad to have him aboard! The following is a note from Mark: As is the tradition around these parts I wanted to introduce myself as the newest member of the ACE Team. My name is Mark Curphey and I’ll be...

From Eugene Siu's blog Microsoft will open up source code of .Net Framework to the public. It allows outsiders to review what is under the hood, and enables easier debugging of development projects around .Net Framework. .Net Framework code has been reviewed...

I have submitted an article proposal to MSDN to write about Silverlight security with my buddy in Silverlight team. If this proposal gets accepted, you will see the article on MSDN magazine soon. Abstract: Silverlight is the latest cross-browser and cross...

I work for ACE team, and want to cross-post from http://blogs.msdn.com/esiu to http://blogs.msdn.com/ace_team . Community Server supports MetaWeblog API, but I am not able to figure out how to configure cross-posting. After a few tries, I am able to cross...

Denial of service is one of the threats that you need to consider while implementing file upload functionality in your web application. If a user uploads a huge file, it will clog the network and consume server’s memory. Let us look at what happens...

Hi, I am Babur Butter and I am with the ACE Team. Advance Encryption Standard (AES) and Triple DES (TDES or 3DES) are commonly used block ciphers. Whether you choose AES or 3DES depend on your needs. In this post I would like to highlight their differences...

Keeping the theme from last post, let us dig into how system designers can take advantage of simple technology agnostic and common security best practices to design a sound user and password management subsystem for their critical IT applications. ...

Hi, I am Sagar Joshi and I work with the ACE Services Team. There is a lot of awareness building around TAM – Threat Analysis and Modeling tool developed by ACE. I have come across practitioners from various disciplines who want to start doing threat...

Hi, I am Ashish Popli and I work with the ACE Services Team. There is a lot of security review guidance available that is technology or platform specific, but at the heart of a security review, there are some basic security principles that can be applied...

The Engagement Hi, I am Richard Lewis and I am back from executing a CryptoApi project for an enterprise customer. The client, had this requirement of having to encrypt data between two machines. Sounds meager? Now consider this - The encrypting box...

S eamless The more integration work that has to be done to get a component to work, the more opportunities to introduce unintended errors which can result in security vulnerabilities. Secure code should therefore not require any special skills to incorporate...

Hi there, I am Richard Lewis and am privileged to be part of the ACE Team at Microsoft. I am with the ACE Services division of the ACE Team. I have a background in application security that spans cryptography and PKI. I have a programming background and...

Hello, I wanted to announce that today the ACE and the ASP.NET team released V1.5 of the Anti-Cross Site Scripting Library at http://msdn2.microsoft.com/en-us/security/aa973814.aspx . This library is essentially the same library that we used to...

Hey Folks, part II and III of the Channel 9 interviews are up! You can check out part II here and part III here . Ahmad Mahdi Security Technologist Microsoft – ACE Team ahmad.mahdi

Well its been a while, but ACE's first video has hit Channel 9 today. If you'd like to see some of the faces on the team, some interesting discussion of who we are and what we do; please do check it out. You can view it here . This is nearly the last...

Hello everyone, my name is Anmol Malhotra and I’m a Security Technologist with ACE [Application Consulting & Engineering] Services team. We are a global team delivering application security services to Microsoft’s esteemed enterprise level customers...

Most automated tests require some form of data to be used within the tests. These are your test data sources and the approach you take for utilizing this data will have an impact on your tests. The question is how much of an impact. Determining the...