Welcome to MSDN Blogs Sign in | Join | Help
In my last post, I mentioned that security bugs were different from other bugs.  Daniel Prochnow asked : What is the difference between bug and vulnerability? In my point of view, in a production enviroment, every bug that may lead to a loss event Read More...
There’s been a lot of discussion on the intertubes about some comments that Linus Torvalds, the creator of Linux has made about security vulnerabilities and disclosure. Not surprisingly, there’s been a fair amount of discussion amongst the various MSFT Read More...
Apparently two years ago, someone ran a static analysis tool named " Valgrind " against the source code to OpenSSL in the Debian Linux distribution. The Valgrind tool reported an issue with the OpenSSL package distributed by Debian, so the Debian team Read More...
I just ran into this post by Eric Brechner who is the director of Microsoft's Engineering Excellence center. What really caught my eye was his opening paragraph: I heard a remark the other day that seemed stupid on the surface, but when I really thought Read More...
Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a “game-over” vulnerability that was just published by Mark Dowd over at IBM's ISS X-Force that affects Read More...
I don't write about the SDL very much, because I figure that the SDL team does a good enough job of it on their blog , but I was reading the news a while ago and realized that one of the aspects of the SDL would have helped if our competitors were to Read More...
Michael Howard just announced that we've hired Crispin Cowan ! This is incredibly awesome, I have a huge amount of respect for Crispin , he's one of the most respected researchers out there. Among other things, Crispin's the author and designer of AppArmor Read More...
Not surprisingly, Valorie and I both do some of our holiday season shopping at ThinkGeek. But no longer. Valorie recently placed a substantial order with them, but Instead of processing her order, they sent the following email: From: ThinkGeek Customer Read More...
Every once in a while, I hear someone making comments about the strength of things like long passwords. For example, if you have a 255 character password that just uses the 26 roman upper and lower case letters, plus the numeric digits. That means that Read More...
Yesterday, Chris Pirillo made a comment in one of his posts : And if you think you’re already completely protected in Windows with its default tools, think again. This morning, after months of regular Firefox use, I get this security warning from the Read More...
Adam Shostack has another threat modeling post up on the SDL blog entitled " Threat Modeling Self Checks and Rules of Thumb ". In it, he talks about threat models and diagrams (and he corrects a mistake in my " rules of thumb " post (thanks Adam)). There's Read More...
I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah, I know I should have done this last week, but I got distracted :). First, a summary of the threat modeling posts: Part 1: Threat Modeling, Once again. Read More...
I wrote this piece up for our group as we entered the most recent round of threat models. I've cleaned it up a bit (removing some Microsoft-specific stuff), and there's stuff that's been talked about before, but the rest of the document is pretty relevant. Read More...
Yesterday I presented my version of the diagrams for Firefox's command line handler and the IE/URLMON's URL handler. To refresh, here they are again: Here's my version of Firefox's diagram: And my version of IE/URLMON's URL handler diagram: As I mentioned Read More...
I've been writing a LOT about threat modeling recently but one of the things I haven't talked about is the practical value of the threat modeling process. Here at Microsoft, we've totally drunk the threat modeling cool-aid. One of Adam Shostak's papers Read More...
More Posts Next page »
 
Page view tracker