Michael Howard's Web Log

I just wrote a post over on the SDL blog about how to get started with fuzzing,...

Gotta love Robert's sarcasm .. but he's right.

SDL alum, Shawn Hernan (now in the SQL Server team), has written an excellent post about SQL Server 2008, Windows Server 2008 and the impact of the firewall being enabled by default in Windows Server 2008, the first time we have enabled a firewall by...

I just added a post over on the SDL blog about heap corruption and process termination as well as some caveats you should be aware of if you use your own custom heap manager.

I just posted an article on the SDL blog about the recent news of SQL injection vulnerabilities...

It had to happen. Since joining Microsoft a few short months ago, Crispin Cowen now has a blog . He's told me some of his ideas for posts... should make for an interesting read! He's never short on opinion.

I just posted an article over on the SDL blog about security metrics in reponse to an analyst's criticisms of how we measure success/failure/progress. Comments always welcome. UPDATE David Litchfield just made a post on the subjet.

Dave Ladd has just made a (long) post over on the SDL blog announcing the availability of the SDL 3.2 doc suite. This is a big deal.

Eric Lawrence just posted some commentary about IE8 and DEP/NX. As you may know, IE7 supports DEP/NX, but it's disabled by default owing to compatibility issues. Well, DEP/NX is now enabled by default for IE8 when running on Windows Server 2008 and Window...

David LeBlanc and I (and a bunch of others) just had a little email exchange about some fascinating integer overflow vulnerabilities in gcc . Long story made short: the code you add to detect integer overflows might actually be removed by the compiler...

These are pretty cool - I'm a big fan of highly focused, short education like this... http://msdn2.microsoft.com/en-us/security/bb896640.aspx

Update: Added Microsoft bulletin stuff. I'm always looking up CVEs so I want to get to the data as quickly as possible, especially if I'm digging through a load of them. Three years ago I posted some code to perform CVE lookup using Smart Tags in...

MSDN Magazine has just published an article I wrote that collects many of the various C and C++ defenses in the current Visual C++ compiler suite, all of these defenses are SDL requirements or recommendations.

Following on from my recent post about Windows Vista security and the SDL, a number of people have indicated to me that obvioulsy it's a fluke. It's important to point out that the reason I talk about Windows Vista so much is because I work in the Windows...

Windows Server 2008 has shipped! And a fine product it is, too! Windows Server 2008 is the first Windows Server to go through the full SDL process, making it the most secure version of Windows Server to date. We raised the security bar in Windows Vista...

I just wrote an article over on the SDL blog about my observations from the industry to Jeff Jones' vulnerability analysis and the lack of security progress by our competitors.

2/19 - Added some Minor Tweaks Perhaps it's the phase of the moon or something, but over the last few weeks I have received more email about correctly using the HeapSetInformation function than any other topic. I really don't know why! This was added...

Today SAFECode , the Software Assurance Forum for Excellence in Code, introduced its first white paper, "Software Assurance: An Overview of Current Industry Best Practices." The organization was founded by Microsoft, Symantec, EMC, SAP and Juniper...

My colleague Eric Bidstrup has just posted a thought provoking article on the SDL blog about elections software and the SDL.

In the interests of helping secure the platform, we want more people to opt-in to using Data Execution Prevention (aka DEP aka NX), and we have lowered the barrier to entry for application developers in Windows Vista SP1, Windows XP SP3 and Windows Server...

My kids are desperate for pets; my six-year old son wants a dog (note, a dog, not a puppy!) and my 4-year old daughter wants a cat. The worse part is my wife keeps egging the kids on, and says she'll get the a pet when I'm next out of town. Tonite...

The standard crypto providers such as DSSENH and RSAENH are now certified FIPS 140-2 on Windows Vista. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm has all the info.

I am delighted to announce that Crispin Cowan has joined the core Windows Security Team! For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the...

http://blogs.msdn.com/david_leblanc/archive/2008/01/16/a-good-reason-to-install-sp3.aspx

On Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here's an excerpt. When a customers [sic, you need to learn some simple grammar, Curphey!] development team...