Browse by Tags

I remember the security situation at Microsoft in 2001 and 2002 like it was yesterday. Perhaps no other couple of years will be so indelibly etched into my brain as those two. 2001 was not so good, but 2002 was a heck of a lot better! Given 2001, this was not a difficult achievement for 2002! So, let...

January marks the ten year milestone of Bill Gates' memo on Trustworthy Computing . When I think about “where was I when…” the email hit my inbox, several memories come to mind that I thought I’d share. Back then I was the Director of Security Assurance, a position that encompassed...

Hello all, Today we are excited to announce that some enhancements have been made to three of our free Security Development Lifecycle (SDL) tools - Threat Modeling, MiniFuzz, and RegExFuzz. As many of you know, tools can be an invaluable asset when it comes to implementing a Security Development...

Hi All. Doug here, In April 2011 Forrester Research wrote a new study on Application Security. This study, titled Application Security: 2011 & Beyond led by Dr Chenxi Wang, Lead Analyst at Forrester Research, provides valuable research, insights and recommendations for security and risk professionals...

Hi, Michael Howard here. One very low-cost and low-friction SDL task that has high impact is removing (and not adding) banned functionality. The most common examples of banned functionality include various C runtime functions, such as strcpy(), strcat(), strncpy(), sprint(), gets() and their evil...

Hello all, this is Monty LaRue posting with some SDL related tools news. Microsoft has recently released an updated version of the Web Application Configuration Analyzer (WACA). While this tool isn't intended to satisfy specific SDL requirements, it is valuable for performing best practices checks on...

Jeremy Dallman here with another release of free SDL documents. Today we are making available a library of templates to help you get started with the more thought-based SDL practices or activities. One of the big questions we faced early at Microsoft and are now hearing again as more companies...

Jeremy Dallman here to let you know we have released our annual update to the Microsoft Security Development Lifecycle Process Guidance – version 5.1 (SDL 5.1) . SDL 5.1 is now available for download (.docx format) as well as updated online in the MSDN library . This public update of our...

Hello all - Dave here... I wanted to take a few moments to alert you to a new publication from Trustworthy Computing entitled "The SDL Progress Report." This work has been in progress for a number of months and incorporates data and analysis from various groups in our organization. We hope you find...

[update 3/22/10: The Excel spreadsheet referenced in this post is now available for download: http://go.microsoft.com/?linkid=9764798 ] Hey everyone, Jeremy Dallman here with a new way to sort and view the SDL practices and implementation guidance. In April 2010, we worked closely with the Archer...

Hi, Michael here, Over the last few weeks, Matt Miller, Matt Thomlinson, John Lambert and I worked on a paper that describes the various buffer overrun defenses we offer in Windows Vista and later and Windows Server 2008 and later. I’d like to introduce a guest SDL blogger, Matt Miller...

Hello all, Dave here… We have received a quite a number of requests from various organizations and individuals that wish to use our Security Development Lifecycle (SDL) content to build out their own secure development processes. We have put a lot of thought into these requests and how best...

Hi, Adam Shostack here. I just wanted to let you know that I’ll be speaking at Black Hat about “Elevation of Privilege: The Easy Way to Threat Model.” Threat modeling is critical to secure development, and people find it intimidating and tough to get started. I will present Elevation...

Hi everyone, this is Grant Bugher. I’ll be giving a talk Thursday afternoon at BlackHat 2010 about securely using cloud storage systems like Windows Azure Storage – how applications that use cloud storage as their database back-end can protect themselves from attacks. Just as with traditional...

Steve Lipner here. Next Tuesday evening (July 27), SAFECode will be sponsoring a brainstorming panel at Black Hat that’s aimed at gathering security community input on vision and approaches for improving software assurance over the next 10 years. SAFECode members all have established software assurance...

Hi, Michael here. It gives me great pleasure to introduce Tim Burrell from our team based in Cheltenham, England. Amongst other things, Tim works on static analysis and compiler security improvements, but more on that work in a later post! As I have mentioned many times, I’m a huge fan of anything that...

Hi Michael here. Over the last few months, a small cross-group team within Microsoft, including the SDL team, has written a paper that explains how to use the security defenses in Windows Azure as well as how to apply practices from the SDL to build more secure Windows Azure solutions. We wrote...

Michael here. I have written about some of the security improvements in VC++ 2010 ( here and here ) and want to mention another important one: improved SAL support. The Standard Annotation Language (SAL) is a way of annotating function prototypes to help static analysis tools find bugs, including...

Jeremy Dallman here to announce that we are releasing the latest version of the Microsoft Security Development Lifecycle process guidance – Version 5 (SDLv5) . It is now available for download as well as updated in the MSDN library . We have released incremental updates to the SDL process guidance...

Jeremy Dallman here. Earlier today, Errata Security released the results of their survey: Integrating Security into the Software Development LifeCycle . This survey was conducted over a two-week period and gathered information from 46 different companies both online and at events around the RSA 2010...

Jeremy Dallman here to let you know we published a couple of new interesting Microsoft SDL stories last week in an effort to continue demonstrating in a tangible and easy-to-read way how Microsoft teams implement the SDL. We hear about more companies investigating how they can integrate the Microsoft...

Jeremy Dallman here to tell you about some new security guidance papers we are releasing today. “My company was just attacked by something called SQL Injection! I have no idea what that is, or what I should do next! Where do I start?” Unfortunately, this is a frequent scenario for many developers...

Hi, Michael here. Over the years, we have learned a great deal about the practical aspects of securing software; but two lessons that really stand out for me are: · You will never get the code perfect, so add defenses. · Make securing software as easy as possible for designers, developers and...

Hello, Michael here. <updated: 7/31 - changed the compiler 'warning' to 'error'> Today, the Microsoft Security Response Center (MSRC) released two out-of-band security bulletins, MS09-034 and MS09-035 , and a Security Advisory , to address security bugs in the Active Template Library (ATL...

Hi, Michael here. A while back I wrote a blog post explaining the Standard Annotation Language (SAL) which is a technology we use to help static analysis tools find more bugs, including security vulnerabilities, in C and C++ code. If you look closely at VC++ 2005 and VC++ 2008, you’ll notice that almost...