Today, SAFECode released an important document entitled, “Fundamental Practices for Secure Software Development” aimed at helping software producers create more secure software.

The document is unique in that it describes what SAFECode members are doing in practice to raise the security bar; it’s not a theoretical or academic document.

I believe the fact that it describes what’s used in practice is what makes the document important because it means the ideas in the document can be implemented in the real world regardless of the type of software under development.

So take a look, and let me know what you think.

Updated: first review from InfoWorld.

<sent from Cabo San Lucas Airport - heading back to Austin >

Crosstalk has published an article for mine regarding how we use Defense in Depth within the SDL, and in Microsoft in general.

I've been doing this Twitter thing for a while now - I really like it, folks can get a feel for what you're up to each day.

If you're interested, you can see what I'm up to by clicking 'Follow' at http://twitter.com/michael_howard

 UPDATED: Added IOActive post

As many of you have seen today, there's been plenty of press about us opening up the SDL for use by other software developers and releasing our threat modeling tool. For those of you who have no clue what the heck I'm talking about, here are a handful of articles about what happened today:

• Microsoft becomes high priest of secure software development (C|Net)
• Microsoft looks to spread secure software expertise (Computerworld)
• Microsoft to Share Its Secure Development Blueprint, Threat Modeling Tool (Dark Reading)

I'm not sure about the "High Priest" moniker, but what the heck :)

Cigital also blogged about the event, most notably the SDL Pro Network, and IOActive posted some comments too.

I'm really excited to see the SDL move forward and most importantly, outward. We have learned a great deal about what it takes to make steps toward securing software. We don't expect perfection, but if more people embrace some of the principles we define in the SDL, and we have experienced and knowledgable partners scale the effort, I think the IT world will be a substantially more secure place.

-Michael

SDL alumnus James Whittaker has a blog. I meant to write a note on this weeks ago, but I kinda got busy! Anyway, if you're a tester, or have a passing interest in test, James is one of the best and you should learn from him. He's the author or coauthor of How to Break Software, How to Break Software Security and How to Break Web Software.

http://blogs.msdn.com/james_whittaker/default.aspx

Scott Hanselman has a look under Chrome's hood and how it uses the new NX/DEP APIs we added to Windows.

Scroll about halfway down the article.

Dave Ladd just posted a note about Katie joing the ever-growing SDL team. For you twitter freaks out there she's @k8em0 :)

Welcome, Katie...

Close on the heels of David Ross' XSS defense in IE8 beta 2, my boss, Steve Lipner just posted an article looking at XSS filter from an SDL perspective.

While I'm on the subject of XSS and Dave, if XSS is an area of interest to you, you really should follow his blog. He's a member of our group focused mainly on browser and desktop-related defenses.

Every once in a while a security bug pops up that really piques my interest, and a new directory traversal bug that affects Apache Tomcat (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938) most certainly made me take notice because I haven't seen this bug type in a lllooonnnggg time.

It caught my eye because of these six little characters:

Many people think these characters represent a 16-bit Unicode character. Wrong. They are an invalid sequence of characters that represent the ‘.' (%2e) character, it's often called an "overlong UTF-8 escape". You may be wondering why I know this little piece of trivia about UTF-8; IIS4 and IIS5 were bitten by the same class of bug eight years ago, and was an attack vector for the Nimda worm. The bulletin that fixed the bug is MS00-078.

Thumbing to page 379 of Writing Secure Code 2^nd Edition, I am reminded that the canonical form of a UTF-8 character is the smallest number of bits that can represent that character. Remember, UTF-8 can encode characters wider than 8 bits. Without going into all the involved bit-manipulation, the correct form for a ‘.' character is a one-byte escape: %2e, not a two-byte escape: %c0%ae.

RFC 3629 states that "Implementations of the decoding algorithm MUST protect against decoding invalid sequences."

UrlScan for IIS6, and IIS7's Request Filtering detect and reject non-canonical UTF-8 URLs by default.

Good news! Matt Miller, author of plenty of cutting-edge security research, including my fave “A Brief History of Exploitation Techniques and Mitigations on Windows” has joined the Security Science team to work on improved ways to find security vulnerabilities and better software defenses through mitigations. Most recently, Matt’s been focused on design review for Windows 7.
 
Matt brings a massive amount of real-world exploit and defense experience to our team. Learn more about Matt here.

It’s wonderful to see us hiring more talent like Matt.
 
Welcome, Matt.

I just wrapped up a post over on the SDL blog with some comments about an article on Google's security work.