Arjuna Shunn here. Our friends over on the security blog have done up a series of posts about SDL and compliance which are worth reading. Using data from numerous sources, ranging from our SDL and HIPAA whitepaper, our SDL and PCI DSS/PA-DSS whitepaper, and from our SDL Chronicles among others, they’ve...

We’ve posted before on the work of SAFECode, a non-profit organization of software vendors who seek to share their approaches to improving the security and assurance of software. In a pair of recent blog posts on the SAFECode blog, Eric Baize of EMC and I discuss effective ways for software acquirers...

More and more enterprises are realizing the importance of proactive security practices and those involved in critical infrastructure are no exception. One of the most effective ways to drive security improvements in critical infrastructure is through industry consensus. Microsoft has been deeply involved...

Steve Lipner here… Over the past few weeks, Microsoft has been reflecting on the ten year anniversary of the Trustworthy Computing initiative; thinking about the things that have led us to this point in our history and speculating about the future. Obviously a big part of our work has been...

Hi All. Doug here, In April 2011 Forrester Research wrote a new study on Application Security. This study, titled Application Security: 2011 & Beyond led by Dr Chenxi Wang, Lead Analyst at Forrester Research, provides valuable research, insights and recommendations for security and risk professionals...

Hi, Michael here, Over the last few weeks, Matt Miller, Matt Thomlinson, John Lambert and I worked on a paper that describes the various buffer overrun defenses we offer in Windows Vista and later and Windows Server 2008 and later. I’d like to introduce a guest SDL blogger, Matt Miller...

Hi, Michael here. A recent article titled "NSA posts secrets to writing secure code" caught my eye in part because the words " writing secure code " always get my attention! But also because anything that can advance the science of securing software is of interest to me. There is another reason...

Hi all, Eric Bidstrup here. One of the areas that our group is also involved is in industry standards regarding security assurance, and Common Criteria ( aka ISO 15408) is the standard internationally recognized by 24 governments (including the US, UK, Germany, Japan, and others). It’s interesting...