Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!

Browse by Tags

Tagged Content List
  • Blog Post: Security Sessions at TechEd in Australia and New Zealand

    I'm heading to TechEd Oz and NZ in a couple of hours to present the following: SEC312 The "Everything Developers Need to Know About Security" Talk Oz: 9/10/2009 15:30-16:45 NZ: 9/14/2009 14:15-15:30 SEC201 Inside the Microsoft Security Development Lifecycle: And how you can use it...
  • Blog Post: ATL, MS09-035 and the SDL

    http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
  • Blog Post: Integrating the SDL process into Visual Studio

    I’ve been a firm believer of integrating as much security tooling as possible into the development process so developers can get on with developing code and designing solutions rather than having to constantly think about dotting the security “i”s and crossing the security “t”s. The less security “friction...
  • Blog Post: A Conversation About Threat Modeling

    This was fun to write; in fact, other than minor edits I wrote it in a single two hour sitting with my laptop by the pool :) http://msdn.microsoft.com/en-us/magazine/dd727503.aspx
  • Blog Post: Ken Johnson (Skywing) joins Microsoft

    Following close on the heels of security experts Matt Miller , Adam Shostack and Crispin Cowan joining Microsoft, I am pleased to announce that Ken Johnson, AKA Skywing, has joined our group. Ken brings an enormous amount of reverse engineering and defense-subversion skill to Microsoft. Ken will...
  • Blog Post: Free Download: Writing Secure Code for Windows Vista

    "For 25 years, Microsoft Press books have focused on helping you take your skills and knowledge to the next level. Celebrate our 25th Anniversary with a "Free E-Book of the Month" offer! Simply sign up for the Microsoft Press Book Connection Newsletter for notification of offers, register, and download...
  • Blog Post: Secure software development practices 'not rocket science'

    http://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1340940,00.html #
  • Blog Post: Improvements in Office Security

    David LeBlanc has an excellent write-up of the results (so far) of all the security work the Office guys have been doing over the last few years. Net: about a 50% reduction in vulns!
  • Blog Post: Volume 5 of the Microsoft Security Intelligence Report is out

    Volume 5 of the Microsoft Security Intelligence Report is now out , highlights include: Security vulnerability disclosures - Microsoft and third-party software Vulnerability Exploits – Microsoft software Browser-based exploits - Microsoft and third-party software Security and...
  • Blog Post: Security-Related MSDN Magazine Articles

    Bryan Sullivan and I wrote a couple of articles for this month's MSDN Magazine. If you're not aware, November focuses on Security. The two articles are: Test Your Security IQ Threat Models Improve Your Security Process And there's the Agile SDL paper than I already mentioned .
  • Blog Post: Agile SDL

    Over the last year or so, a bunch of us in the SDL team have been working with agile groups across Microsoft to help streamline the SDL for agile methods. Bryan Sullivan wrote a paper for MSDN Magazine explaining where our current throughts lie. Clearly this is just the start, we have some more work...
  • Blog Post: SAFECode releases "Fundamental Practices for Secure Software Development" document

    Today, SAFECode released an important document entitled, “ Fundamental Practices for Secure Software Development ” aimed at helping software producers create more secure software. The document is unique in that it describes what SAFECode members are doing in practice to raise the security bar; it...
  • Blog Post: Practical Defense in Depth

    <sent from Cabo San Lucas Airport - heading back to Austin > Crosstalk has published an article for mine regarding how we use Defense in Depth within the SDL, and in Microsoft in general.
  • Blog Post: SDL Evolution

    UPDATED : Added IOActive post As many of you have seen today , there's been plenty of press about us opening up the SDL for use by other software developers and releasing our threat modeling tool. For those of you who have no clue what the heck I'm talking about, here are a handful of articles about...
  • Blog Post: GOOG Chrome's use of NX/DEP

    Scott Hanselman has a look under Chrome's hood and how it uses the new NX/DEP APIs we added to Windows . Scroll about halfway down the article.
  • Blog Post: Kim Cameron on GOOGs single sign on design vulnerability

    I spoke with Kim Cameron a few days ago about Google's single sign-on (SSO) design bug . I wanted his take on the bug because he's one of the best in the area of identity, single sign-on etc etc... his response can only be described as scathing.
  • Blog Post: Katie Moussouris joins the SDL team

    Dave Ladd just posted a note about Katie joing the ever-growing SDL team. For you twitter freaks out there she's @k8em0 :) Welcome, Katie...
  • Blog Post: SDL and the XSS Filter

    Close on the heels of David Ross' XSS defense in IE8 beta 2, my boss, Steve Lipner just posted an article looking at XSS filter from an SDL perspective. While I'm on the subject of XSS and Dave, if XSS is an area of interest to you, you really should follow his blog . He's a member of our group focused...
  • Blog Post: Overlong UTF-8 Escapes Bite

    Every once in a while a security bug pops up that really piques my interest, and a new directory traversal bug that affects Apache Tomcat (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938) most certainly made me take notice because I haven't seen this bug type in a lllooonnnggg time. It...
  • Blog Post: Matt Miller Joins the Security Science Team!

    Good news! Matt Miller, author of plenty of cutting-edge security research, including my fave “ A Brief History of Exploitation Techniques and Mitigations on Windows ” has joined the Security Science team to work on improved ways to find security vulnerabilities and better software defenses through mitigations...
  • Blog Post: Security is bigger than finding and fixing bugs

    I just wrapped up a post over on the SDL blog with some comments about an article on Google's security work.
  • Blog Post: How Very True

    http://twitter.com/alexsotirov/statuses/882866444
  • Blog Post: Improve Security with "A Layer of Hurt"

    I just wrote a post over on the SDL blog about how to get started with fuzzing,...
  • Blog Post: Insecure 3rd party software updaters

    Gotta love Robert's sarcasm .. but he's right.
  • Blog Post: SQL Server and the Windows Server 2008 Firewall

    SDL alum, Shawn Hernan (now in the SQL Server team), has written an excellent post about SQL Server 2008, Windows Server 2008 and the impact of the firewall being enabled by default in Windows Server 2008, the first time we have enabled a firewall by default in our server operating system. If you're...
Page 1 of 13 (317 items) 12345»