Welcome to MSDN Blogs Sign in | Join | Help

Security (RSS)

What makes a bug a security bug?

In my last post, I mentioned that security bugs were different from other bugs.  Daniel Prochnow asked : What is the difference between bug and vulnerability? In my point of view, in a production enviroment, every bug that may lead to a loss event Read More...
Posted Monday, August 18, 2008 10:29 AM by LarryOsterman | 21 Comments
Filed under:

Linus Torvalds is “Fed up with the ‘security circus’”

There’s been a lot of discussion on the intertubes about some comments that Linus Torvalds, the creator of Linux has made about security vulnerabilities and disclosure. Not surprisingly, there’s been a fair amount of discussion amongst the various MSFT Read More...
Posted Friday, August 15, 2008 1:28 PM by LarryOsterman | 21 Comments
Filed under:

More proof that crypto should be left to the experts

Apparently two years ago, someone ran a static analysis tool named " Valgrind " against the source code to OpenSSL in the Debian Linux distribution. The Valgrind tool reported an issue with the OpenSSL package distributed by Debian, so the Debian team Read More...
Posted Tuesday, May 13, 2008 9:46 AM by LarryOsterman | 41 Comments
Filed under:

Resilience is NOT necessarily a good thing

I just ran into this post by Eric Brechner who is the director of Microsoft's Engineering Excellence center. What really caught my eye was his opening paragraph: I heard a remark the other day that seemed stupid on the surface, but when I really thought Read More...
Posted Thursday, May 01, 2008 9:14 AM by LarryOsterman | 66 Comments

This is the way the world (wide web) ends...

Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a “game-over” vulnerability that was just published by Mark Dowd over at IBM's ISS X-Force that affects Read More...
Posted Wednesday, April 16, 2008 1:03 PM by LarryOsterman | 27 Comments
Filed under:

The Trouble with Giblets

I don't write about the SDL very much, because I figure that the SDL team does a good enough job of it on their blog , but I was reading the news a while ago and realized that one of the aspects of the SDL would have helped if our competitors were to Read More...
Posted Friday, March 07, 2008 8:28 AM by LarryOsterman | 26 Comments
Filed under:

Wow - We hired Crispin Cowan!!!

Michael Howard just announced that we've hired Crispin Cowan ! This is incredibly awesome, I have a huge amount of respect for Crispin , he's one of the most respected researchers out there. Among other things, Crispin's the author and designer of AppArmor Read More...
Posted Friday, January 18, 2008 10:31 AM by LarryOsterman | 5 Comments

How to lose customers without really trying...

Not surprisingly, Valorie and I both do some of our holiday season shopping at ThinkGeek. But no longer. Valorie recently placed a substantial order with them, but Instead of processing her order, they sent the following email: From: ThinkGeek Customer Read More...
Posted Thursday, November 15, 2007 3:21 PM by LarryOsterman | 25 Comments

When you're analyzing the strength of a password, make sure you know what's done with it.

Every once in a while, I hear someone making comments about the strength of things like long passwords. For example, if you have a 255 character password that just uses the 26 roman upper and lower case letters, plus the numeric digits. That means that Read More...
Posted Monday, November 12, 2007 5:47 PM by LarryOsterman | 20 Comments

Chris Pirillo's annoyed by the Windows Firewall prompt

Yesterday, Chris Pirillo made a comment in one of his posts : And if you think you’re already completely protected in Windows with its default tools, think again. This morning, after months of regular Firefox use, I get this security warning from the Read More...
Posted Friday, November 02, 2007 9:56 AM by LarryOsterman | 63 Comments
Filed under:

Every threat model diagram should tell a story.

Adam Shostack has another threat modeling post up on the SDL blog entitled " Threat Modeling Self Checks and Rules of Thumb ". In it, he talks about threat models and diagrams (and he corrects a mistake in my " rules of thumb " post (thanks Adam)). There's Read More...
Posted Monday, October 22, 2007 3:14 PM by LarryOsterman | 1 Comments
Filed under:

Some final thoughts on Threat Modeling...

I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah, I know I should have done this last week, but I got distracted :). First, a summary of the threat modeling posts: Part 1: Threat Modeling, Once again. Read More...
Posted Monday, October 01, 2007 9:54 AM by LarryOsterman | 16 Comments

Threat Modeling Again, Threat Modeling Rules of Thumb

I wrote this piece up for our group as we entered the most recent round of threat models. I've cleaned it up a bit (removing some Microsoft-specific stuff), and there's stuff that's been talked about before, but the rest of the document is pretty relevant. Read More...
Posted Friday, September 21, 2007 10:20 AM by LarryOsterman | 12 Comments

Threat Modeling Again, Threat modeling and the fIrefoxurl issue.

Yesterday I presented my version of the diagrams for Firefox's command line handler and the IE/URLMON's URL handler. To refresh, here they are again: Here's my version of Firefox's diagram: And my version of IE/URLMON's URL handler diagram: As I mentioned Read More...
Posted Wednesday, September 19, 2007 10:33 AM by LarryOsterman | 26 Comments

Threat Modeling Again, Threat Modeling in Practice

I've been writing a LOT about threat modeling recently but one of the things I haven't talked about is the practical value of the threat modeling process. Here at Microsoft, we've totally drunk the threat modeling cool-aid. One of Adam Shostak's papers Read More...
Posted Tuesday, September 18, 2007 3:48 PM by LarryOsterman | 11 Comments
More Posts Next page »
 
Page view tracker