Blog - About

About David LeBlanc's Web Log

This blog is about whatever security topics come to mind, and may occasionally wander off into other areas, like arcane C++ tricks. I'll primarily cover techniques to achieve more secure code, how to use some of the more interesting facets of the Windows operating system, and sometimes my thoughts about the general state of Internet security.

  • David LeBlanc's Web Log

    Securing Existing Code

    • 4 Comments
    Just read Michael Howard's post about differentiating secure features, security features and security response, found at http://blogs.msdn.com/sdl/archive/2007/12/17/security-is-not-all-about-security-updates.aspx , and wanted to offer some counterpoints...
  • David LeBlanc's Web Log

    How to cause a regression

    • 2 Comments
    This one isn't really security related, except that we security people often want to get rid of old stuff because it's sometimes easier to disable it than to make it really robust. If only a few people use it, good attack surface reduction practices tell...
  • David LeBlanc's Web Log

    More on Sandboxing – Network Implications

    • 1 Comments
    Larry Osterman's post (er, rant) (found here - http://blogs.msdn.com/larryosterman/archive/2007/11/02/chris-pirillo-s-annoyed-by-the-windows-firewall-prompt.aspx ) about someone's gripe with Firefox and the firewall caused me to remember to add to the...
  • David LeBlanc's Web Log

    Writing Secure Code 3

    • 1 Comments
    It seems like every time I've gone out in public recently, I've been asked when we were going to update Writing Secure Code 2. I've been seeing comments about it along the lines of "Good, but dated." Ouch. It has been a while – we published WSC2 in 2002...
  • David LeBlanc's Web Log

    Checking Password Complexity

    • 2 Comments
    Michael put some sample code into WSC2 that showed people how to check passwords using the NetValidatePasswordPolicy API. It's a very flexible API, and it's meant to handle situations where an app maintains its own password database, like SQL Server....
  • David LeBlanc's Web Log

    Safebool

    • 1 Comments
    My last post triggered a couple of responses and a URL I thought would be good to not get lost in the comments. Check out http://www.artima.com/cppsource/safebool.html . As I was saying a couple of posts ago, the right tool is usually situational....
  • David LeBlanc's Web Log

    C++ operator overloading trivia

    • 3 Comments
    Learned something interesting this week that I'll be working into SafeInt 3. It all started out because if you declare a SafeInt class instance, and then try to use it as an array index, the compiler can't figure out which of the several available integer...
  • David LeBlanc's Web Log

    On the Other Hand…

    • 2 Comments
    In my previous post on threat models, I pointed out situations where TM's are either a complete waste of time, or maybe we've got bigger problems than design issues. To add a little balance and reinforce one of the points I was trying to make, let's look...
  • David LeBlanc's Web Log

    Blog Comment Spam is Really, Really, Really Annoying

    • 2 Comments
    I keep getting spam from some bunch of (expletives deleted) as comments to the blog. It's all: Nice. Interesting. Cool! With some bogus URL they're trying to get people to click on, from weird psuedo-Greek names mostly ending in 'os'. They...
  • David LeBlanc's Web Log

    Threat Modeling the Bold Button is Boring

    • 8 Comments
    I've been reading Larry Osterman's blog lately – he's a smart guy, and one of the very first people at Microsoft I ever met (virtually anyway – it was years before we met in person). Larry came to my defense when Seattle Lab tried to tell us that Windows...
  • David LeBlanc's Web Log

    Office 2003 SP3

    • 2 Comments
    We've just released SP3 for Office 2003, and it's been a lot of work. We're releasing a bit more in this service release than we normally do, but this is part of our response to the current security environment. I joined Office at the very start of the...
  • David LeBlanc's Web Log

    DREAD and the PHB

    • 1 Comments
    Sometimes when I present about secure programming practices, I emphasize education for PM's, testers, and devs, for obvious reasons. Then there's the hard part – educating management. You really have to be able to do that – you need to spend time on security...
  • David LeBlanc's Web Log

    DREADful

    • 8 Comments
    Both the STRIDE and DREAD systems Michael and I documented in Writing Secure Code have been criticized quite a bit. Neither of them were developed with any real academic rigor, and from a scientific standpoint, neither of them tend to hold up very well...
  • David LeBlanc's Web Log

    More on C++ code auditing

    • 0 Comments
    Just now had a chance to take a look at the presentation I referenced last post. It's fairly long and detailed, but worth a thorough reading. You can grab it here: http://taossa.com/ Someone commented on my last post that this stuff should be obvious...
  • David LeBlanc's Web Log

    Avoiding C++ vulnerabilities

    • 4 Comments
    Just returned from Blackhat – it always seems that the presentations I most want to see happen at the same time as I'm scheduled to talk. Neel Mehta, John McDonald and Mark Dowd were talking about finding exploitable C++ specific flaws, and I was only...
  • David LeBlanc's Web Log

    Practical Windows Sandboxing – Part 3

    • 5 Comments
    The third tool we need in order to create a sandboxed app is a desktop. We've said in many places that the desktop is a security boundary. Unfortunately, there's little real security within a desktop – and this isn't something unique to Windows – the...
  • David LeBlanc's Web Log

    Practical Windows Sandboxing, Part 2

    • 4 Comments
    Once you have a process in a restricted token, the next tool you can use to limit what it can do is a job object. Like restricted tokens, these shipped in Windows 2000. A job object is similar to how ulimits work on UNIX(ish) OS's, but don't do some of...
  • David LeBlanc's Web Log

    Logon ID SIDs

    • 1 Comments
    I've mentioned logon ID SIDs a couple of times, but they're fairly arcane. I first ran into them when I was exploring just what was in a process token, and a group SID came up that I wasn't familiar with. Here's how a SID is defined: typedef struct...
  • David LeBlanc's Web Log

    Practical Windows Sandboxing – Part 1

    • 1 Comments
    I've written more than once about how interesting restricted tokens are – the earliest article was on Mark Edward's Windows Security web site. Unless it's been taken down recently, the article and source code are still there. In the nearly 8 years since...
  • David LeBlanc's Web Log

    Security Dependencies Follow-up

    • 0 Comments
    Someone asked how dependencies should be handled if you're depending on another team at the same company. As you may well imagine, this is a very common issue here – for example, a bunch of apps we ship use SharePoint as a platform, which in turn uses...
  • David LeBlanc's Web Log

    Process Tokens and Default DACLs

    • 1 Comments
    I ran up on something the other day that isn't very well documented in one place. When you're dealing with restricted tokens, and in a few other limited scenarios, the default DACL on the process token becomes important. We can look at the default DACL...
  • David LeBlanc's Web Log

    Security Dependencies

    • 3 Comments
    There's been an interesting little tempest in a teapot going on WRT IE and Firefox. I in general don't pay a whole lot of attention to the browser vuln du jour, but this one caught my eye - http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId...
  • David LeBlanc's Web Log

    Misc Ramblings

    • 0 Comments
    Sorry about not posting recently – been distracted by a bunch of stuff. One of the more fun distractions was riding my horse for 100 miles over 2 days on June 2 and 3. We completed looking good despite the fact it was over 100 degrees during the afternoon...
  • David LeBlanc's Web Log

    More on Exception Handlers

    • 2 Comments
    Sitting here at "Blue Hat" watching David Maynor present – pretty cool working for a company that can host its own security conference just to educate employees… A comment just came in that was a good question, and deserves a detailed answer – Arkon...
  • David LeBlanc's Web Log

    New File Converter Coming Soon

    • 11 Comments
    You might have recently heard something about the new "Microsoft Office Isolated Conversion Environment", a tool we are providing to help protect Office 2003 users from malicious content in Office files. You might be asking yourself what it is, and why...
Page 3 of 4 (94 items) 1234