Georgeo Pulikkathara's Microsoft Blog : Security content

Microsoft Trustworthy Developer Content Strategy

Georgeo Pulikkathara — Thu, 24 Jul 2008 10:29:07 GMT

Technorati Tags: developer content strategy,privacy,security

I was at my Vice President's (Scott Charney) all hands meeting last month. Scott was talking about the need to discuss online safety and Green IT to IT Pros and developers. I was taking some notes and Maslow's Hierarchy of Needs pyramid came to mind.

I thought of what Scott was saying and realized that there was a order to what we need to communicate and drive awareness for. Before we can talk about data privacy to developers and IT Professionals, it was necessary to ensure that the customers platform and applications were secure. Only then can you even think of approaching data privacy.

If an ISV or a corporate development team is to consider data privacy as a requirement, then Security is mandatory. If you're a ISV or a independent software vendor, then you're going to have to answer the questions to your customers who are going to ask you the obvious question, "Am I safe online?".

Online Safety is comprised of Privacy and Security. Let's say you want to provide online safety to your customers who buy your software. You'll probably want to ensure that there is legislation/compliance in place to drive the online safety to protect the customer as well as independent software vendors to limit your liability when you've taken the time and due diligence to ensure your application development efforts coincide with the Microsoft Development Lifecycle.

The way we drive awareness and provide privacy and security for customers is by ensuring that independent software vendors are utilizing the Microsoft SDL in their software development efforts along with organization that expose customer data through online banking portals, or online account access.

Study: Top Web Application Vulnerabilities Remain Unfixed

Georgeo Pulikkathara — Thu, 15 May 2008 04:06:00 GMT

Application Development trends published a study from Cenzic, that shows that 70% of web applications analyzed where susceptible to cross site scripting exploitations with 20% of the web applications studied were vulnerable to SQL injection type attacks. Microsoft provides developers with tons of guidance on how to better secure your web applications. Don't let your web applications get exploited by these types of attacks. Get more details on this article at this link . Study: Top Web Application Vulnerabilities Remain Unfixed

OWASP Top 10 2007

Georgeo Pulikkathara — Sat, 10 May 2008 00:19:23 GMT

Most developers who use Microsoft developer tools and technologies will tell you that if you're looking for developer resources, just go to msdn online. Well not everyone uses Microsoft developer tools and technologies. This is where the Open Web Application Security Project (OWASP) comes in. When folks are looking for application software security guidance, they'll go to an online community such as OWASP. OWASP provides straightforward information so that folks can make informed decisions on the state of their application security whether you're working in .NET, Java, or PHP.

So be sure to check out OWASP, and especially their top 10 list for web application vulnerabilities at http://www.owasp.org/index.php/Top_10_2007 .

Joe Stagner's Security Blog - http://www.securedeveloper.com/

Georgeo Pulikkathara — Tue, 06 May 2008 00:52:00 GMT

Everyone who is interested in learning about security needs to stay focused on this blog when it launches. This is Joe's new security blog that he's going to manage from Scott Guthrie's team. It's going to be good. This is sort of like getting the advanced warning that Jackson is going to start filming the Lord of the Rings trilogy. So stay tuned and make sure you check back at http://www.securedeveloper.com/ for when this blog goes full speed ahead.

George

Digital Black Belt Series

Georgeo Pulikkathara — Tue, 06 May 2008 00:38:32 GMT

This is an older on demand webcast series, but I'm considering resurrecting this next year.

Digital Blackbelt Series

Microsoft Security Development Lifecycle (SDL) download now available

Georgeo Pulikkathara — Fri, 02 May 2008 05:02:47 GMT

As part of its commitment to a more secure and trustworthy computing ecosystem, Microsoft is making the details of the SDL process generally available online for the first time. IT policy makers and software development organizations can leverage this 78 page document to enhance and inform their own software security and privacy assurance programs.

Microsoft Security Development Lifecycle (SDL) document download

"The Microsoft Security Development Lifecycle (SDL) is an industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, the SDL introduces security and privacy early and throughout all phases of the development process. It has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server. Microsoft is publishing the detailed SDL process guidance as part of its commitment to enable a more secure and trustworthy computing ecosystem.

The following documentation provides an in-depth description of the Microsoft SDL methodology and requirements. Proprietary technologies and resources that are only available internally at Microsoft have been omitted from these guidelines."

Developer Security Content Framework

Georgeo Pulikkathara — Fri, 02 May 2008 04:53:04 GMT

I'm trying to develop a framework for security related content, and one of the issues I'm trying to address is how folks go about searching for security content. Yes, I know you pull up your browser, and do a Google search on SDL, threat modeling, STRIPE, digest authentication, Kerberos authentication, etc. But what do you search for, and what are you trying to work on these days. Based on that, I want to try and get some of our internal experts to produce some (free) training content to help you address this in a straight forward manner. Anthony Tsim (founded Microsoft Virtual Labs) and I are going to talk to some folks internally, such as Joe Stagner, Michael Howard, David Ladd, Bronwen Matthews, Michael O'Neill (DEV TOOLS), John Boylan, and some others, to help us figure this out.

Writing Secure Code on msdn online

Georgeo Pulikkathara — Wed, 30 Apr 2008 03:19:38 GMT

Writing Secure Code

"One of the key things that developers can do to help secure their systems is to write code that can withstand attack and use security features properly. This page contains links to best practices and how-to articles on writing secure code."

How To: Protect From SQL Injection in ASP.NET

Georgeo Pulikkathara — Tue, 29 Apr 2008 20:32:15 GMT

Looks like SQL Injections attacks are taking place. Check out the article at Computerworld. If you're not sure on how to protect your site from these attacks, please take a look at our article, "How To: Protect From SQL Injection in ASP.NET", on msdn online.

Michael Howard - Required Reading

Georgeo Pulikkathara — Tue, 29 Apr 2008 01:26:46 GMT

Technorati Tags: Writing Secure Code

If you're looking to better understand writing secure code, Michael Howard's blog and his books are required reading. Yes, he wrote the book on Writing Secure Code. Really. Michael Howard's Blog

George

"How Do I?" Videos for Security

Georgeo Pulikkathara — Fri, 25 Apr 2008 09:34:29 GMT

More videos on security topics for developers at the msdn security developer center. Here you’ll find videos that explore a variety of security questions for developers, including encryption, handling attacks, security best practices, and a lot more. New videos are added regularly, so check back often at "How Do I?" Videos for Security.

Regards,

George

Technorati Tags: security videos

How Do I: Export and Import Certificates?

Georgeo Pulikkathara — Fri, 25 Apr 2008 09:22:00 GMT

We've got a series of short how to videos at the msdn security developer center that provides you quick overviews on topics such as how to import/export certificates, and how to get started with encryption. by Lamees Ayman.

Let us know what you think of these videos. Helpful, too basic, or just right. I'm thinking of making more videos like this for our developer community to consume.

Technorati Tags: developer security videos

Thanks,

George

georgeop@microsoft.com or (425) 707-6912

George's Blog

Georgeo Pulikkathara — Thu, 24 Apr 2008 23:19:26 GMT

You may remember me from my days at MSDN Webcasts or from when I was managing the worldwide Microsoft Certified Professional Program at Microsoft Learning.

Well I'm over here now with Jed Pickel and Jacqueline Beauchere to get the word out to our developer communities on all that Microsoft is doing around security and privacy for our customers.

We're building some great security how to content that will be featured at http://www.microsoft.com/security as well as at http://msdn.microsoft.com/security to help you make sense of what to do when addressing security concerns with your application development efforts on Microsoft tools and technologies.

Warmest Regards,

Georgeo X. Pulikkathara

georgeop@microsoft.com (425) 707-6912