Kevin Lam's Web Log

BuildingSecureCode.com is up and running!

2007-04-04T03:27:00Z

Hey Everyone,

In my last post I mentioned that I would be blogging from www.buildingsecurecode.com after leaving Microsoft. It's up and ready to go right now!

As my first post, I thought I would write about Programmatically Displaying the Windows User Account Control (UAC) Elevated Shield Icon in .NET Windows Form Application Buttons. A couple days ago I was fiddling around with making UAC aware/compliant applications in .NET and could find absolutely no clear documentation on how to get the elevated shield icon to appear on buttons mapping to elevated tasks and I can only imagine others are going through the same frustration. In this blog entry I walk you through a sample application as well as give you the .NET code you need to start displaying those UAC elevated shield icons. Enjoy and much more to come!

The link to the post can be found here: http://www.buildingsecurecode.com/?p=13. And with that, this blog is now officially closed. Thanks,

Kevin

Moving on, thank you and good luck!

2007-03-28T01:28:00Z

Friends,

After almost 5 years at Microsoft, I've decided to move on and realize my dreams of starting a business (check out www.impactalabs.com in the coming months). I've had the pleasure of working with some of the smartest people in the industry, had the opportunity to write Assesing Network Security, to write for Microsoft TechNet and of course publishing Anti-Cross Site Scripting Library V1.0 and V1.5 -- so while I am excited about the opportunities ahead, I am sad about the those that I am leaving behind.

As of this Friday, I will no longer be blogging from this site and moving shop over to www.buildingsecurecode.com. Take care and best wishes!

Kevin

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Mohammad Akif on InfoQ

2006-12-20T06:08:00Z

If you've never met or heard Mohammad Akif here's your chance! He's one of our evangelists in Toronto (my home-town!), Canada. Mohammad talks to InfoQ about service oriented-architectures (SOA) and the Security Development Lifecycle, check him out http://www.infoq.com/interviews/Mohammad-Akif. Enjoy,

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Anti-Cross Site Scripting Library V1.5: Come Get It!

2006-11-18T20:11:00Z

Update: The FAQ is now up as of today to help answer any initial questions you might have. Check it out on the main landing page for the librarry at http://msdn2.microsoft.com/en-us/security/aa973814.aspx.

Update: We'll be posting a Web-facing FAQ shortly (there's already one inside the library documentation) to help answer questions you might have regarding using this library. Stay tuned!

After what seemed like forever, I am pleased to announced that the ACE and the ASP.NET team have released the Microsoft Anti-Cross Site Scripting Library V1.5. This library is essentially the same library we use internally (if you've ever heard the name IOSec you'll know what I am talking about) with a few enhancements. You can find the official release announcement for V1.5 at the ACE Team Blog. There are way too many people to thank individually so I would just like like to say thank you to the internal and external folks who provided valuable feedback (some nicer than others =P) and support.

We're not done yet! The next version aims to pack even more functionality and new automation to help you prevent those XSS nasties in a big way and -- as always --along with a few surprises. Until then, enjoy this version.

Thanks,

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Anti-Cross Site Scripting Library V1.5 Update

2006-10-18T01:06:00Z

Today we released a preview copy to a select list of people and awaiting to get feedback. Very soon folks, very soon! I also spent last night and into the morning putting together a tutorial so watch out for the release of that! Thanks,

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Thoughts On Code Scanning

2006-10-03T07:35:00Z

Dan Sellers posted my rant on code scanning tools on his Security for Canadian Developers Blog:

--- START ---

Information managers, developers and testers commonly make the mistake of seeing code scanning tools as replacement for security QA processes. As a result they get a false sense of security about their software development lifecycle. Rather than using code scanning tools as a QA team replacement, think of code scanning tools an enforcement mechanism to help ensure that developers are following best practices and more importantly application security development policies.

Secondly tools need to be tightly integrated into a SDLC and not done as a one-off exercise. I visit a lot of customers each year to train them on developing applications securely and often ask them about their development processes and where tools fit into those processes. A common, almost consistent, response I hear is “developers run tools if they know they exist and if they remember.” Ouch. One way in which I’ve helped customers in the past is to integrated tools as a direct gate within their SDLC. Failure to complete this step affects the developer’s ability to proceed forward. As I always say, there’s a difference between what you say you do, and what you actually do.

Another common request from customers I get is for me suggest to them which is the ‘best’ tool. My response: potato. There is no best tool per se, but rather there is a best tool that meets their code scanning requirements. In order for a tool to be identified, I help my customers define those requirements first – otherwise they’ve just purchased or downloaded a tool that they have no idea whether or not is adding value or not.

Have fun scanning!

Prefast: http://www.microsoft.com/whdc/devtools/ddk/default.mspx
FxCop: http://www.gotdotnet.com/team/fxcop/

--- END ---

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Canadian Virtual Security Conference Recap

2006-09-29T21:31:00Z

If you missed the presentation Dan Sellers, Deepak Manohar and I gave to 230+ Canadian security folks on 09/27/06 check out the following links:

http://msdn.microsoft.com/canada/securitylockdown/

Also Dan posted an entire presentation recap at his blog for Canadian Security Developers at:

http://blogs.msdn.com/s4cd/archive/2006/09/27/774602.aspx

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Spam Detection using an Artificial Immune System

2006-07-11T07:43:00Z

Just read this off of Slashdot -- I am a big, nay huge, fan of using biological models to solve problems in other spaces. Check out this interesting paper on using immune system behavior to detect spam:.

Check it out: http://terri.zone12.com/doc/academic/crossroads/

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Anti-Cross Site Scripting Library V1.5: Almost there ...

2006-07-08T02:53:00Z

Just wanted to give an update and the new implementation of the Anti-Cross Site Scripting Library V1.5 is done. I re-wrote the entire library to be much more performant than the previous implementations as well as added more encoding methods for various web-application scenarios (Java Script, Visual Basic Script and more). Now what's left is some additional functional, performance and of course security testing <g>.

The official release will be announced here and on the ACE team blog at http://blogs.msdn.com/ace_team/default.aspx. Thanks again for your patience and stay tuned!

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Latest volume of Uninformed available!

2006-06-09T18:59:00Z

If you're a fan of the old Phrack, you'll definitely enjoy Uninformed.

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Defeating Polymorphic Viruses Whitepaper

2006-06-06T06:55:00Z

Every now and then this company completely surprises me! It's absolutely fantastic that Microsoft is publishing research like this! If you're interested in computer viruses, check out this oldie (but goodie) white paper by Adrian Stepan here.

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Virtual PC 2004 Tip: Installing Other Operating Systems

2006-06-05T09:42:00Z

If you like operating systems like me, no doubt you've recently tried to install Ubuntu 6.06 and have run into some installation problems with Virtual PC 2004 SP1 related to display issues. Try this trick:

Move the selection to "Install In Safe Graphics Mode" (second option)
Hit F6 to modify the install options.
Enter "vga=771" before the double dashes "--".
Hit Enter.

The install should work fine from there on in. Thanks,

Update 06/09/06: The official Ubuntu steps to get Ubuntu working with Virtual PC 2004 can be found on their wiki.

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

More on Windows Vista's Address Space Layout Randomization (ASLR)

2006-06-04T10:22:00Z

Check out Stephen Toulouse's blog entry here. Enjoy,

Kevin

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Windows Vista Security: Address Space Layout Randomization (ASLR)

2006-06-01T22:32:00Z

Michael Howard's blog entry on randomization of address space layout: http://blogs.msdn.com/michael_howard/archive/2006/05/26/608315.aspx

I personally haven't seen the internals (implementation) yet, but it should be interesting on how well it affects a malicious user's ability to successfully exploit buffer overflow conditions. This should make exploits of this nature more difficult to conduct successful since many of them require known memory locations and offsets -- now exploit writers can't rely on these conditions to be necessarily true.

Just like how the Visual C++ /GS flag compiler protection provides limited protection against stack overruns, don't rely on the Vista protection mechanism to be your silver bullet. As Michael points out in his entry, having this protection doesn't excuse developers from creating secure code in the first place. And with any sort of protection mechanism (/GS, StackGuard, StackShield, etc.) the security researchers usually find a way around it.

Kevin

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

Threat Analysis and Modeling (TAM) V2.0 RC1 Is Released!

2006-05-27T04:43:00Z

If you haven't already done so, check out my team's Release Candidate 1 (RC1) of the Threat Analysis & Modeling V2.0 tool here. Kudos to the TAM development team, great work guys! Thanks,

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team