Michael Howard's Web Log

I received a number of emails about the 'eXPired' poster on my office door, heck it even made " Quote of the Week " in the Seattle Post-Intelligencer (scroll to the bottom.) So here it is (click for a bigger image) As for Tigger - he's my mood...

As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM partners – over 50 senior technical experts from the biggest names in the computer industry. Out of respect for our partners I won’t name names, but the “usual...

I was quite surprised when a number of folks criticized the data used in the report titled " Microsoft SQL Server Runs the Security Table " from ESG - it was just CVE data! Well, David Litchfield has done some of his own research, and created a report...

Day two of the SDL training session for OEMs went well. James Whittaker led the discussion for the first half of the morning, discussing security testing. His main point was that testing for security requires a diffferent mind set - you still have to...

There's an interesting article over at C|Net about security in general, and Microsoft and the SDL in particular. One thing the author points out as important is BillG's Trustworthy Computing memo. IMHO, here's why such an email is so important. If...

This is probably the most in-depth analysis of Mac OS X security I've ever read. It's a worthwhile read. I was especially fascinated by the last section on preventative measures because we've spent so much time on this stuff in Windows Vista, and it's...

So, the final day of the SDL sessions for our OEM partners is complete... My biggest observation was these guys were utterly engaged, and by that I mean writing copious notes and asking some very pointed and deep questions. The companies could have...

When I read the interview " Allchin Suggests Vista Won't Need Antivirus " with Jim Allchin I shuddered, and then I realized he'd been taken out of context. Jim is no fool. Anyway, he's responded , and I'm happy to see he has. Long time Microsoft watcher...

http://www.vnunet.com/vnunet/news/2169225/microsoft-beats-oracle-security

In my opinion, SQL Server 2000 SP3, SQL Server 2005 and IIS6 have been the poster-children for SDL. Enterprise Strategy Group just released a research paper comparing the security of SQL Server with Oracle and MySQL. And no, this was not commissioned...

Earlier this year I wrote a blog post about Anti-XSS Library v1.0. Well, it's been updated with new methods to escape other kinds of data. You should start at the landing page .

I'm so glad to have been involved in the development of Windows Vista, it's a wonderful OS. For the longest time I hung on to Windows XP SP2, thinking it's "good enough" but after using Vista for over a year now on my daily laptop, I simply can't go back...

Enterprise Strategy Group analyst Jon Oltsik has published a non-commissioned research note lauding Microsoft’s efforts to develop industry leading secure coding practices through its Security Development Lifecycle (SDL). The report gives a historical...

http://www.microsoft.com/technet/windowsvista/security/guide.mspx