CloudSec

The new Microsoft Online services represent an excellent option for businesses to base all or part of their Exchange, Sharepoint and MeetingPlace functionality within a Microsoft hosted data center. But what about Service Level agreements for these...

I just read a new article over in CSO-Online about our VP of Trustworthy Computing at Microsoft, Scott Charney. In it, they refer to him as the "Axe Man" and his ability to stop products from rolling out due to security concerns Since Charney...

This bill was introduced last year, and is making the rounds again. Some of the wording that IT Management might want to read very carefully, centers on their accountability when certain data breaches occur: Key features of the bipartisan legislation...

Containing many bug fixes and some enhancements , this is a great tool for organizations who may not have dedicated teams of security analysts, but want to model their application and automatically generate many of the possible threats. The following...

As a developer, the first thing I thought about with the Novell announcement was Mono and whether or not Microsoft would be putting resources toward that Herculean effort. Miguel makes reference to the FAQ which talks about this subject: Q: What...

Dominick over at Least Privilege makes reference to the new functionality added to HawkEye which allows developers to display the contents of SecureString, and also change the current principal of the running thread. This looks like a really great debugging...

The folks over at the Patterns and Practices Team have done it again with the Guidance Library - containing all kinds of best practices, mini "How-Tos" and coding samples for .NET. What's great about this site is that you can categorize the best practices...

I was out at a customer site last week and needed to have access to their internal corporate network to do some work for the week. Their process for providing access to outside consultants was actualy quite mature - basically, I needed to send an email...

There is an old saying out there: There are two kinds of people in the world - those who have lost all of their data, and those who will! I now count myself in the party of the first part. To make a long story short, I decided to upgrade to Windows...

I was wondering when this issue was going to come up in the anti-trust discussions. It seems as if the EU commission is raising concerns that the 'bundled' security features of Microsoft Vista might block out competitors in the security space. To me...

It seems that the evolving PCI (Payment Card International) standard is getting more support with all of the major credit card companies agreeing to get together to form the new Security Standards Council . While the PCI is fairly high level right...

Yet another set of headlines this week about data being leaked accidentally from internal employees. This time, the news is from AOL, where information was posted on-line about user searches. According to AOL “This incident took place because some...

So everyone is talking about the new .NET 2.0 based threat modeling (Beta) that has just been released. From my initial fly-by, it looks like a very different approach than the older tool which relied on software developers to learn and master the concepts...

When you initially install VS2005 and start to use the default membership and role providers for security, you usually use the default SQL provider for SQLExpress on your local box. But what if I want to later change from SQL Express, and instead use...

With the increasing popularity of Ajax/Atlas as the new 'holy grail' of development, it easy to predict the number of security problems in all of that javascript and xml flying all over the place. The folks over at the secure development mailing list...

Mike Nash responds to some of the most popular questions from the SlashDot crew on the state of Microsoft product security, and how we go about creating secure software. Say what you want about Slashdot, but I for one am glad to see that we are responding...

I'm out at Tech Ready in Seattle and am attending as many Vista Security sessions as I can. The fact that for most users, Vista processes will be running by default as non-admin is going to make a world of difference in the security space moving forward...

A beautiful, crisp, fall Saturday with plenty of sunshine and fresh air. But I chose to spend it locked in a room full of about a hundred other people, talking about .NET security at the Mid Atlantic Security Code Camp hosted by G. Andrew Guthie. If...

Many of the developers I work with go through the pain of trying to figure out how to encrypt data before passing it on to the database tier. What encryption algorithms do I use? What key length? How do I create an operational infrastructure to manage...

The Patterns and Practices team have come out with new guidance and best practices surrounding ADO.NET 2.0 . A great synopsis of all things most folks already know - but some new and interesting content around partial trust apps, and signing your database...

Dan Sellers talks about Security Trimming in ASP.NET as a great way to easily limit access to certain areas of you application to certain roles/ I've never seen Dan's blog before - but it's chalk full of developer security goodness! Subscribed. ...

Karen Corby has written a great article about hosting Windows Presentation Foundation in the browser . At the end of the article, are some really great little nuggets about security considerations and capabilities when running WPF in a 'sandbox'. She...