Browse by Tags

Tagged Content List
  • Blog Post: Secure Development Is Much Easier Than You Think

    Secure software development is something we believe is absolutely critical to helping create safer more trusted computing experiences for everyone. So much so that we invest in providing free tools, resources and guidance to help assist organizations in adopting an SDL process and are actively involved...
  • Blog Post: Microsoft SDL Conforms to ISO/IEC 27034-1:2011

    Steve Lipner here. This morning Scott Charney announced in his keynote at the Security Development Conference that the Microsoft Security Development Lifecycle (SDL) meets or exceeds the guidance published in ISO/IEC 27034-1. The full text from this announcement was as follows: Microsoft has used...
  • Blog Post: SDL and Compliance: New Blog Series at Security Blogs

    Arjuna Shunn here. Our friends over on the security blog have done up a series of posts about SDL and compliance which are worth reading. Using data from numerous sources, ranging from our SDL and HIPAA whitepaper, our SDL and PCI DSS/PA-DSS whitepaper, and from our SDL Chronicles among others, they’ve...
  • Blog Post: Software Assurance: How can you tell?

    We’ve posted before on the work of SAFECode, a non-profit organization of software vendors who seek to share their approaches to improving the security and assurance of software. In a pair of recent blog posts on the SAFECode blog, Eric Baize of EMC and I discuss effective ways for software acquirers...
  • Blog Post: Attack Surface Analyzer 1.0 Released

    Last year we released a beta version of our free Attack Surface Analyzer tool. The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications...
  • Blog Post: Warnings, /sdl, and improving uninitialized variable detection

    Hello all - Dave here. Tim Burrell and Thomas Garnier of the TwC Security Science team present the sixth and last blog installment describing more /sdl functionality in Visual Studio 2012 RC. Please note that there will be an MSDN webcast discussing the security enhancements to Visual Studio 2012...
  • Blog Post: Now available: Microsoft SDL Process Guidance updates – version 5.2

    Jeremy Dallman here to let you know we have released our annual update to the Microsoft Security Development Lifecycle Process Guidance – version 5.2 (SDL 5.2). SDL 5.2 is now available for download (.docx format) as well as updated online in the MSDN library. The changes in SDL 5.2 demonstrate...
  • Blog Post: Guarding against re-use of stale object references

    Hello all - Dave here... Tim Burrell of the TwC Security Science team presents the fifth blog installment describing /sdl: functionality in Visual Studio 11. ----------------------------------------------------------------------------------------------------------------------------- In the last...
  • Blog Post: Guarding against uninitialized class member pointers

    Hello all – Dave here… Now that RSA is over and things are somewhat back to normal, we can get back to the business of talking about Visual Studio features as they relate to the SDL. Here we present the fourth installment of the series by Thomas Garnier of the Security Science team talking...
  • Blog Post: Enhancements to /GS in Visual Studio 11

    Hello all – Dave here… As mentioned in previous posts, there are some interesting changes afoot regarding security in Visual Studio 11. Here is the next installment of the series by Tim Burrell outlining more of the work done by Security Science and the talented folks on the Visual Studio...
  • Blog Post: What a Journey It Has Been

    I remember the security situation at Microsoft in 2001 and 2002 like it was yesterday. Perhaps no other couple of years will be so indelibly etched into my brain as those two. 2001 was not so good, but 2002 was a heck of a lot better! Given 2001, this was not a difficult achievement for 2002! So, let...
  • Blog Post: Trustworthy Computing’s 10 Year Milestone – Reflecting on Humble Beginnings

    January marks the ten year milestone of Bill Gates' memo on Trustworthy Computing . When I think about “where was I when…” the email hit my inbox, several memories come to mind that I thought I’d share. Back then I was the Director of Security Assurance, a position that encompassed...
  • Blog Post: Compiler Security Enhancements in Visual Studio 11

    Hello all – Dave here… In chatting with our colleagues in the MSEC Security Science Team, there were a number of interesting topics that weren’t covered in our previous Code Analysis blog post – information that would help contribute to the understanding of security features...
  • Blog Post: Code Analysis for All

    Hello All - As many of you already know, the SDL team at Microsoft has a strong relationship with our colleagues in the MSEC Security Science team - these guys are on the front line of tool development for the SDL, and are always looking for new ways to take the security technologies they produce...
  • Blog Post: Updated SDL Tools Available

    Hello all, Today we are excited to announce that some enhancements have been made to three of our free Security Development Lifecycle (SDL) tools - Threat Modeling, MiniFuzz, and RegExFuzz. As many of you know, tools can be an invaluable asset when it comes to implementing a Security Development...
  • Blog Post: Application Security: 2011 & Beyond – A Forrester Research Report

    Hi All. Doug here, In April 2011 Forrester Research wrote a new study on Application Security. This study, titled Application Security: 2011 & Beyond led by Dr Chenxi Wang, Lead Analyst at Forrester Research, provides valuable research, insights and recommendations for security and risk professionals...
  • Blog Post: Updated Banned API Documentation Available

    Hi, Michael Howard here. One very low-cost and low-friction SDL task that has high impact is removing (and not adding) banned functionality. The most common examples of banned functionality include various C runtime functions, such as strcpy(), strcat(), strncpy(), sprint(), gets() and their evil...
  • Blog Post: Tooling News: Web Application Configuration Analyzer Released

    Hello all, this is Monty LaRue posting with some SDL related tools news. Microsoft has recently released an updated version of the Web Application Configuration Analyzer (WACA). While this tool isn't intended to satisfy specific SDL requirements, it is valuable for performing best practices checks on...
  • Blog Post: I’m starting to use the SDL, but how do I…?

    Jeremy Dallman here with another release of free SDL documents. Today we are making available a library of templates to help you get started with the more thought-based SDL practices or activities. One of the big questions we faced early at Microsoft and are now hearing again as more companies...
  • Blog Post: Now available: Microsoft SDL Process Guidance updates – version 5.1

    Jeremy Dallman here to let you know we have released our annual update to the Microsoft Security Development Lifecycle Process Guidance – version 5.1 (SDL 5.1) . SDL 5.1 is now available for download (.docx format) as well as updated online in the MSDN library . This public update of our...
  • Blog Post: The SDL Chronicles – How an Engineering Culture Change Driven by Security Needs Paid Off

    Hi All – Doug here… We recently had the opportunity to get an inside look into a large company’s journey addressing a web application security incident that led to a deep analysis and change in how a development organization builds security into their software development process...
  • Blog Post: For your consideration: The SDL Progress Report

    Hello all - Dave here... I wanted to take a few moments to alert you to a new publication from Trustworthy Computing entitled "The SDL Progress Report." This work has been in progress for a number of months and incorporates data and analysis from various groups in our organization. We hope you find...
  • Blog Post: Return on Investment (ROI) and Secure Application Development: Can a holistic approach save money and increase productivity?

    Doug Cavit here to talk about a presentation I’m giving at the RSA Conference featuring findings from a Forrester Consulting thought leadership paper we recently released. We’re often asked, “What is the real return on investment for putting a secure application development program...
  • Blog Post: It's Really Only 16 Security Practices - Implementation Guidance Included!

    [update 3/22/10: The Excel spreadsheet referenced in this post is now available for download: http://go.microsoft.com/?linkid=9764798 ] Hey everyone, Jeremy Dallman here with a new way to sort and view the SDL practices and implementation guidance. In April 2010, we worked closely with the Archer...
  • Blog Post: ISV adoption of mitigation technologies

    Hi, Michael here, Over the last few weeks, Matt Miller, Matt Thomlinson, John Lambert and I worked on a paper that describes the various buffer overrun defenses we offer in Windows Vista and later and Windows Server 2008 and later. I’d like to introduce a guest SDL blogger, Matt Miller...
Page 1 of 3 (69 items) 123