I have been recently coordinating much of the efforts on the CLR dev team related to the security push.  The security push is a period of a few weeks for all groups involved in Whidbey to let us focus on making Whidbey more secure.  There was recently a very good post by Mikhail Arkhipov outlining many of the efforts we are focusing on.

There are many people in the CLR team who are very experienced in security and they have all been working on guiding the effort but the involvement has not been restricted to them - most of the team was doing some work.  The involvement of the whole team is what makes this effort a "push".

My work was mostly to know what issues we have to pay attention to; to know how to use new tools and new libraries or languages extensions; and to make general recommendations on some issues.  I started to look into all these issues well before the push started and I was really glad that I did since during the security push I have been getting a lot of specific questions from various people and my earlier investigations meant that I either knew the answer or at least knew where to look or who to ask.  As you can imagine, I also wrote a few documents for our team focusing on various issues, I set up a web page for the CLR devs with pointers to useful documents and with an FAQ section.  I also gave a few presentations introducing new tools available to us.  The presentations and documents written by me were mostly based on information already available from various sources.  After all many people have been working on security at Microsoft for a while and there is a lot of knowledge to be mined within our company.

I will write later about some of the specific things that I have been looking at during the security push.