• The Security Development Lifecycle

    MSDN Security Issue Articles

    • 1 Comments
    Bryan here. The SDL team is well represented in the annual security issue of MSDN magazine – we have three articles that might be interesting to you, given that you read the SDL Blog! First up is a code review quiz, “ Test Your Security IQ ”. Put your...
  • The Security Development Lifecycle

    SDL Announcements at TechEd EMEA

    • 4 Comments
    Hello all, Dave here… I am in Barcelona, Spain with Michael Howard and Adam Shostack at the TechEd EMEA: Developers Conference. In addition to teaching and attending security sessions, we are in Barcelona to formally announce the launch of...
  • The Security Development Lifecycle

    Applying SDL Principles to Legacy Code

    • 1 Comments
    Hello, this is Scott Stender from iSEC Partners, one of the SDL Pro Network partners. As security consultants, we at iSEC work with a variety of companies to drive security throughout their development cycle. Clients with mature security processes ask...
  • The Security Development Lifecycle

    MS08-067 and the SDL

    • 10 Comments
    Hi, Michael here. No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape...
  • The Security Development Lifecycle

    Good hygiene and Banned APIs

    • 5 Comments
    Jeremy Dallman here with a quick note about a code sanitizing tool we are making available to support one of the SDL requirements – Remove all Banned APIs from your code. This requirement was put in place to prevent use of certain older C runtime functions...
  • The Security Development Lifecycle

    Experiences Threat Modeling At Microsoft

    • 2 Comments
    Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “ Experiences Threat Modeling at Microsoft ,” which readers of this blog might enjoy. So please, enjoy! And while I’m at it, I wanted to draw attention...
  • The Security Development Lifecycle

    Mitigating Exploitation Techniques

    • 2 Comments
    Hi, Matt Miller from Microsoft’s Security Science team here to talk about exploitation & mitigation. Over the past decade exploitation techniques have been developed and refined to the point that very little expertise has been needed to successfully...
  • The Security Development Lifecycle

    SDL Sessions at BlueHat

    • 4 Comments
    Bryan here. Last January, I wrote a post on this blog bemoaning the difficulty of making security interesting and “ sexy ” to developers. Applied research conferences generally place a much greater emphasis on revealing new vulnerabilities and new attack...
  • The Security Development Lifecycle

    About the SDL Pro Network

    • 2 Comments
    Hello all, Dave here... I expect that a number of you have seen the announcement and various press articles or Steve Lipner's Tuesday post about our launch of the SDL Threat Modeling Tool 3.0, the SDL Optimization Model and the SDL Pro Network . Since...
  • The Security Development Lifecycle

    SDL Press Tour Announcements

    • 2 Comments
    Steve Lipner here. Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, but this time we also spoke...
  • The Security Development Lifecycle

    New addition to the starting line-up...

    • 3 Comments
    Hey all – Dave here… Wanted to drop a quick note to introduce the latest member of the SDL team - Katie Moussouris! Many of you may already know Katie from her past work on the MSRC Ecosystem Strategy Team or her tenure at Symantec and @Stake. ...
  • The Security Development Lifecycle

    SDL and the XSS Filter, Revisited

    • 3 Comments
    Bryan here. Since Steve called me out in his post on the XSS Filter last week, I feel obligated to clarify my position. ☺ I believe that the SDL blog is mainly for development teams; after all, development is the D in SDL. Now, development teams are made...
  • The Security Development Lifecycle

    SDL and the XSS Filter

    • 4 Comments
    Steve Lipner here. When the Internet Explorer team posted the announcement about the XSS Filter feature in IE8 I asked some other members of the SDL blog team “why aren’t we talking about the new XSS Filter feature on the SDL blog?” Bryan and Jeremy said...
  • The Security Development Lifecycle

    Security is bigger than finding and fixing bugs

    • 3 Comments
    I’ve been catching up on various security-related articles that I’ve been meaning to read, and the following article was on the list http://www.itnews.com.au/News/73635,google-shares-its-security-secrets.aspx about Google’s “security secrets.” Quoting...
  • The Security Development Lifecycle

    What do you want to know about SDL threat modeling?

    • 1 Comments
    Adam Shostack here. I'm working on a paper about "Experiences Threat Modeling at Microsoft" for an academic workshop on security modeling. I have some content that I think is pretty good, but I realize that I don't know all the questions that readers...
  • The Security Development Lifecycle

    Improve Security with "A Layer of Hurt"

    • 4 Comments
    Hello, Michael here. I got a lot of interesting comments from my TechEd 2008 presentation entitled, "How To Review Your Code And Test For Security Bugs," but the most comments and questions were reserved for fuzz testing; I was blown away by the number...
  • The Security Development Lifecycle

    Wrapping up "Walking" with the SDL

    • 1 Comments
    Jeremy Dallman here. Before we move on with our regularly-scheduled programming here at the SDL blog, I wanted to pull all of the “Walking with the SDL” blog posts into a single document to put it all together in another format. You can find that document...
  • The Security Development Lifecycle

    "Walking" with the SDL - Part 4

    • 1 Comments
    Jeremy Dallman here with the final piece of my multi-part series on “Walking” with the Security Development Lifecycle (SDL) [ Part 1 , Part 2 , Part 3 ]. So far I have discussed getting management approval, expanding security training, formalizing security...
  • The Security Development Lifecycle

    "Walking" with the SDL - Part 3

    • 1 Comments
    Jeremy Dallman here. This is Part Three in my multi-part series on “Walking” with the Security Development Lifecycle (SDL) [ Part 1 , Part 2 ]. So far I have discussed getting management approval and expanding security training. In this post I will discuss...
  • The Security Development Lifecycle

    “Walking” with the SDL – Part 2

    • 3 Comments
    Jeremy Dallman here with Part Two in my series on “Walking” with the SDL. In Part One , I provided a snapshot of “Crawling” and discussed getting management approval. In Part Two, I will cover a couple more “Walk” components: expanding security training...
  • The Security Development Lifecycle

    "Walking" with the SDL - Part 1

    • 6 Comments
    Jeremy Dallman here. Back in March I wrote a post about “Crawling” Toward SDL . I used the imagery of learning to “crawl, walk and run” as a way to provide some basic starting points that would move your organization toward implementing a version of Microsoft...
  • The Security Development Lifecycle

    New SDL Website

    • 3 Comments
    Hi all, Dave here… I’m pleased to announce the availability of new resources for the Microsoft Security Development Lifecycle (SDL). We have recently launched a dedicated SDL website at www.microsoft.com/sdl . This website will serve as the main...
  • The Security Development Lifecycle

    Security Thoughts from TechEd 2008

    • 2 Comments
    Hi, this week is a post from Michael Howard and Laura Machado de Wright, who both attended and presented at TechEd 2008 in Orlando the week of June 2 nd . First up is Laura. I have been a Security Program Manager for the last 3 years, working as...
  • The Security Development Lifecycle

    SQL Injection Defense Tools

    • 5 Comments
    Bryan here. A couple of weeks ago, I posted a blog entry with links to SQL injection defense guidelines. The SDL requires guidance and education for end-users, and tools to verify security settings are highly recommended, as defined in " Stage 5: Implementation...
  • The Security Development Lifecycle

    SDL Threat Modeling: Past, Present and Future

    • 2 Comments
    Adam Shostack here. I wanted to share my slides from the recent Layer One conference [link], where I talked about "SDL Threat Modeling: Past, Present and Future." There are a few points that I wanted to emphasize. The first is that I'm talking...
Page 7 of 10 (230 items) «56789»