Browse by Tags

Tagged Content List
  • Blog Post: Risk Management

    My first article on the topic of security testing and risk management is now published in the March 2009 issue of Testing Experience magazine, pages 28-30. (free online subscription takes you to PDF download)
  • Blog Post: Office Security Team

    The Office security team typically targets memory-corruption bugs in the software like buffer overruns, integer overruns, and format strings...
  • Blog Post: Security & Perf Videos

    J.D. Meier has posted a decent index of videos covering performance testing, ASP.NET 2.0, and VSTS:
  • Blog Post: Patterns & Practices Security Videos

    "Click Here"
  • Blog Post: Michael Howard on the Silver Bullet Security Podcast

    Here's the link...
  • Blog Post: CERT Secure Coding Standards

    "This web site exists to support the development of secure coding standards for commonly used programming languages such as C and C++. "
  • Blog Post: MSRC Stories

    This article has an interesting peek into life at the Microsoft Security Response Center: "I'm at the shop and over the radio I hear: 'The Internet was taken down today by a worm affecting SQL Server,'" recalls Toulouse. "That was the...
  • Blog Post: port 25 is open on port 80

    Here's an interesting blog to watch courtesy the Open Source Software Lab @ Microsoft - (for RSS - )
  • Blog Post: bluehat links

    Some good links if you want to check out some of the speakers and topics addressed at the last Microsoft bluehat conference:
  • Blog Post: running with least privilege

    "In the ongoing battle to fight internal and external threats on the corporate desktop, IT staffers may be forgetting one very potent weapon in their arsenal—system lockdown.",1217,a=166172,00.asp If you care about this type of thing, Aaron Margosis...
  • Blog Post: development related security tools at SecureWorld

    There were two vendors at SecureWorld conference today in Bellevue that might be worth checking out if you are looking for developer/tester related security products. They should also be there tomorrow as well - free registration if you are just walking the booths. Security Innovation sells a fault injection...
  • Blog Post: Reducing Browser Privileges

    "a simple yet little-known approach exists for users to avoid many of these vulnerabilities in any web browser"
  • Blog Post:

    Thank to .NET Delirium for pointing out this site:
  • Blog Post: the amazing live honey monkeys

    Security researchers have all the fun. This paper describes how the Strider HoneyMonkey Exploit Detection system uses active client honeypots (AKA "honey monkeys") to find web sites that exploit browser vulnerabilities.
  • Blog Post: How To Break Web Software

    This is not a Microsoft sponsored talk, and the term "webinar" makes me cringe, but it might be worth it for testers in the crowd: "In this Webinar, the primary author of all three books of the "How to break.." series will take you on a journey through the set of techniques for breaking (from a security...
  • Blog Post: static code analysis in the news

    I remember a few years ago at a software quality conference in Portland telling people in the hallway after talks about these cool static code analysis tools we had, but then having to admit they were just internal. Fast forward to today, the news is talking about it, Beta/CTP bits are available, and...
  • Blog Post: non-admin in the news...

    Let's hear it for the little non-admin wiki that could:,1759,1830637,00.asp
  • Blog Post: security kaizen

    Some starting points for sharpening the security saw: Threat Modeling (MSDN) http://Channel9.Msdn.Com/Security (MSDN/Channel9/PAG security wiki)
  • Blog Post: NIST - Early Computer Security Papers

    Thanks to Michael Howard for passing this along... "This list of papers was initially distributed on CD-ROM at NISSC '98. These papers are unpublished, seminal works in computer security. They are papers every serious student of computer security should read."
  • Blog Post: VSTS Tip: TF Permissions

    This is information for Beta 2 - if you stumble across this in the future and have a ship version of VSTS please consider it expired and rotting so that it does not cause you more harm than good. That said, and with the disclaimer that applies to all information on this blog, here's the best I've been...
  • Blog Post: thoughts on the future of dynamic code analysis

    This really belongs in the comments field of my last blog post, but it turned out I had more thoughts to vent and this would make a monster of a comment, so here goes: What more could there be to dynamic analysis than code coverage and profiling? Probably the debugger falls into that category. I don...
  • Blog Post: Security and the Software Development Lifecycle

    Not breaking news or anything, this document is prominently dated "April 1, 2005" on the front page so it's been out for a while, but for anyone else interested in security and the software development lifecycle, this could make for some interesting reading material and is chock full of ideas at least...
  • Blog Post: SANS Top 20

    "The Most Critical New Vulnerabilities Discovered or Patched During the First Quarter of 2005"
  • Blog Post: regsvr32 for non-admins

    Interesting article up on Code Project: "The principal advantage is that, the user can still register and use the COM server even if he is not an administrator of the machine or does not have write access to HKEY_LOCAL_MACHINE . " --- ... and another...
  • Blog Post: another LUA link

    This time from the Windows Embedded (XPE/LHE not CE) team blog:
Page 1 of 2 (29 items) 12