Eric Jarvi : security

Password Complexity

ejarvi — Fri, 16 Oct 2009 19:46:00 GMT

Alan Myrvold has a new post on the Office 2010 engineering blog covering password complexity and related functionality in Office:

http://blogs.technet.com/office2010/archive/2009/10/16/enabling-password-rules-for-office-2010.aspx

Risk Management

ejarvi — Fri, 13 Mar 2009 20:38:00 GMT

My first article on the topic of security testing and risk management is now published in the March 2009 issue of Testing Experience magazine, pages 28-30.

http://www.testingexperience.com/subscribe.php
(free online subscription takes you to PDF download)

Office Security Team

ejarvi — Fri, 18 Jul 2008 22:13:00 GMT

The Office security team typically targets memory-corruption bugs in the software like buffer overruns, integer overruns, and format strings...

http://www.darkreading.com/document.asp?doc_id=159305

Security & Perf Videos

ejarvi — Mon, 26 Nov 2007 23:32:00 GMT

J.D. Meier has posted a decent index of videos covering performance testing, ASP.NET 2.0, and VSTS:

http://blogs.msdn.com/jmeier/archive/2007/11/22/videos-security-performance-testing-and-visual-studio-team-system.aspx

Information Assurance

ejarvi — Sun, 28 Oct 2007 06:47:00 GMT

The Unintended Consequences of the Information Age Lecture Series: Our Infrastructures: Online and Vulnerable?

Jointly sponsored by The Center for Information Assurance and Cybersecurity, UW-INSER, the MS Program in Strategic Planning for Critical Infrastucture, Pacific Northwest National Laboratory and the Information School, this series provides a compelling case for increased research in cybersecurity as related to critical infrastructure.

Part 1 will air on UWTV at the following times:

Monday October 29 at 6pm
Wed Oct 31 at 11pm
Thurs November 1 at 10:30am and 7pm
Friday Nov 2 at 4pm
Sunday Nov 4 at 3pm

Future airdates will be posted later on the UWTV website:
http://www.uwtv.org/programs/displayevent.aspx?rID=20354&fID=2095

Patterns & Practices Security Videos

ejarvi — Mon, 26 Mar 2007 17:53:00 GMT

"Click Here"

http://blogs.msdn.com/jmeier/archive/2007/03/24/patterns-practices-security-videos.aspx

Michael Howard on the Silver Bullet Security Podcast

ejarvi — Sat, 30 Sep 2006 03:19:00 GMT

Here's the link...

http://www.cigital.com/silverbullet/show-006/

CERT Secure Coding Standards

ejarvi — Wed, 27 Sep 2006 19:22:00 GMT

"This web site exists to support the development of secure coding standards for commonly used programming languages such as C and C++. "

https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards

MSRC Stories

ejarvi — Thu, 10 Aug 2006 00:03:00 GMT

This article has an interesting peek into life at the Microsoft Security Response Center:

http://redmondmag.com/features/article.asp?EditorialsID=616

"I'm at the shop and over the radio I hear: 'The Internet was taken down today by a worm affecting SQL Server,'" recalls Toulouse. "That was the first I heard of it."

A few moments later, Toulouse was racing toward Redmond, the interior of his Jeep still torn open from the half-finished installation.

port 25 is open on port 80

ejarvi — Fri, 07 Jul 2006 17:03:00 GMT

Here's an interesting blog to watch courtesy the Open Source Software Lab @ Microsoft - http://port25.technet.com/ (for RSS - http://port25.technet.com/rss.aspx )

bluehat links

ejarvi — Wed, 22 Mar 2006 01:52:00 GMT

Some good links if you want to check out some of the speakers and topics addressed at the last Microsoft bluehat conference:

http://blogs.technet.com/bluehat/archive/2006/03/21/422707.aspx

running with least privilege

ejarvi — Wed, 30 Nov 2005 21:45:00 GMT

"In the ongoing battle to fight internal and external threats on the corporate desktop, IT staffers may be forgetting one very potent weapon in their arsenal—system lockdown." http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp

If you care about this type of thing, Aaron Margosis's blog is the place to go: http://blogs.msdn.com/Aaron_Margosis/

development related security tools at SecureWorld

ejarvi — Thu, 20 Oct 2005 03:07:00 GMT

There were two vendors at SecureWorld conference today in Bellevue that might be worth checking out if you are looking for developer/tester related security products. They should also be there tomorrow as well - free registration if you are just walking the booths. Security Innovation sells a fault injection tool called Holodeck and SPI Dynamics sells a tool called WebInspect that has VSTS integration in beta right now.

Reducing Browser Privileges

ejarvi — Wed, 05 Oct 2005 20:41:00 GMT

"a simple yet little-known approach exists for users to avoid many of these vulnerabilities in any web browser"

http://www.securityfocus.com/infocus/1848

leastprivilege.com

ejarvi — Fri, 02 Sep 2005 07:35:00 GMT

Thank to .NET Delirium for pointing out this site:

http://blogs.msdn.com/gduthie/archive/2005/09/01/459576.aspx