Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!

Never Thought I'd Still be Dealing with This: Insecure ActiveX Controls!

Over the last couple of months, I have worked with some customers still using custom-written ActiveX...

Author: Michael Howard Date: 06/03/2016

Understanding that Microsoft Azure PaaS and IaaS defenses are often different

I received many comments from people asking me to clarify the following line from my previous blog...

Author: Michael Howard Date: 05/20/2016

Cloud-based Solutions, Threat Modeling and Shared Security Responsibility

Almost 100% of my security work these days involves helping customers deploy their solutions on...

Author: Michael Howard Date: 05/13/2016

Refactoring C and C++ Code for Security

I have been programming in C and C++ since I was 15 years old. And no, I won’t tell you how...

Author: Michael Howard Date: 03/08/2016

Security Sessions at TechEd in Australia and New Zealand

I'm heading to TechEd Oz and NZ in a couple of hours to present the following: SEC312 The...

Author: Michael Howard Date: 09/06/2009

ATL, MS09-035 and the SDL

https://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx

Author: Michael Howard Date: 07/28/2009

Integrating the SDL process into Visual Studio

I’ve been a firm believer of integrating as much security tooling as possible into the development...

Author: Michael Howard Date: 05/19/2009

A Conversation About Threat Modeling

This was fun to write; in fact, other than minor edits I wrote it in a single two hour sitting with...

Author: Michael Howard Date: 05/01/2009

Ken Johnson (Skywing) joins Microsoft

Following close on the heels of security experts Matt Miller, Adam Shostack and Crispin Cowan...

Author: Michael Howard Date: 03/24/2009

Free Download: Writing Secure Code for Windows Vista

"For 25 years, Microsoft Press books have focused on helping you take your skills and knowledge to...

Author: Michael Howard Date: 12/30/2008

Secure software development practices 'not rocket science'

https://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1340940,00.html#

Author: Michael Howard Date: 12/08/2008

A Proactive Approach to Building a Successful Security Development Lifecycle Program

At this point most of you have heard about the Microsoft SDL and some of activities and deliverables...

Author: Michael Howard Date: 11/19/2008

Improvements in Office Security

David LeBlanc has an excellent write-up of the results (so far) of all the security work the Office...

Author: Michael Howard Date: 11/17/2008

Volume 5 of the Microsoft Security Intelligence Report is out

Volume 5 of the Microsoft Security Intelligence Report is now out, highlights include: Security...

Author: Michael Howard Date: 11/03/2008

Bryan Sullivan and I wrote a couple of articles for this month's MSDN Magazine. If you're not aware,...

Author: Michael Howard Date: 10/28/2008

Agile SDL

Over the last year or so, a bunch of us in the SDL team have been working with agile groups across...

Author: Michael Howard Date: 10/28/2008

SAFECode releases "Fundamental Practices for Secure Software Development" document

Today, SAFECode released an important document entitled, “Fundamental Practices for Secure Software...

Author: Michael Howard Date: 10/08/2008

Practical Defense in Depth

<sent from Cabo San Lucas Airport - heading back to Austin > Crosstalk has published an...

Author: Michael Howard Date: 09/26/2008

Twitter Feed

I've been doing this Twitter thing for a while now - I really like it, folks can get a feel for what...

Author: Michael Howard Date: 09/17/2008

SDL Evolution

UPDATED: Added IOActive post As many of you have seen today, there's been plenty of press about us...

Author: Michael Howard Date: 09/17/2008

James Whittaker has a blog

SDL alumnus James Whittaker has a blog. I meant to write a note on this weeks ago, but I kinda got...

Author: Michael Howard Date: 09/15/2008

GOOG Chrome's use of NX/DEP

Scott Hanselman has a look under Chrome's hood and how it uses the new NX/DEP APIs we added to...

Author: Michael Howard Date: 09/15/2008

Kim Cameron on GOOGs single sign on design vulnerability

I spoke with Kim Cameron a few days ago about Google's single sign-on (SSO) design bug. I wanted his...

Author: Michael Howard Date: 09/15/2008

SDL and the XSS Filter

Close on the heels of David Ross' XSS defense in IE8 beta 2, my boss, Steve Lipner just posted an...

Author: Michael Howard Date: 08/27/2008

Overlong UTF-8 Escapes Bite

Every once in a while a security bug pops up that really piques my interest, and a new directory...

Author: Michael Howard Date: 08/22/2008

Security is bigger than finding and fixing bugs

I just wrapped up a post over on the SDL blog with some comments about an article on Google's...

Author: Michael Howard Date: 08/14/2008

How Very True

https://twitter.com/alexsotirov/statuses/882866444

Author: Michael Howard Date: 08/12/2008

Improve Security with "A Layer of Hurt"

I just wrote a post over on the SDL blog about how to get started with fuzzing,...

Author: Michael Howard Date: 07/31/2008

Insecure 3rd party software updaters

Gotta love Robert's sarcasm.. but he's right.

Author: Michael Howard Date: 07/29/2008

SQL Server and the Windows Server 2008 Firewall

SDL alum, Shawn Hernan (now in the SQL Server team), has written an excellent post about SQL Server...

Author: Michael Howard Date: 07/02/2008

More on Heap Corruption and Process Termination

I just added a post over on the SDL blog about heap corruption and process termination as well as...

Author: Michael Howard Date: 06/07/2008

Giving SQL Injection the Respect it Deserves

I just posted an article on the SDL blog about the recent news of SQL injection vulnerabilities...

Author: Michael Howard Date: 05/16/2008

Crispin has a blog!

It had to happen. Since joining Microsoft a few short months ago, Crispin Cowen now has a blog. He's...

Author: Michael Howard Date: 04/28/2008

Oh No! Security Metrics!

I just posted an article over on the SDL blog about security metrics in reponse to an analyst's...

Author: Michael Howard Date: 04/18/2008

Microsoft Security Development Lifecycle (SDL) 3.2 documentation now available for download

Dave Ladd has just made a (long) post over on the SDL blog announcing the availability of the SDL...

Author: Michael Howard Date: 04/09/2008

Internet Explorer 8.0 and Data Execution Prevention (DEP/NX)

Eric Lawrence just posted some commentary about IE8 and DEP/NX. As you may know, IE7 supports...

Author: Michael Howard Date: 04/08/2008

When adding security bugs to your code is not your fault!

David LeBlanc and I (and a bunch of others) just had a little email exchange about some fascinating...

Author: Michael Howard Date: 04/04/2008

"How Do I?" Videos for Security

These are pretty cool - I'm a big fan of highly focused, short education like this......

Author: Michael Howard Date: 03/30/2008

IE8 Activity to lookup CVEs and Microsoft bulletins

Update: Added Microsoft bulletin stuff. I'm always looking up CVEs so I want to get to the data as...

Author: Michael Howard Date: 03/18/2008

Protecting Your Code with Visual C++ Defenses

MSDN Magazine has just published an article I wrote that collects many of the various C and C++...

Author: Michael Howard Date: 03/17/2008

The impact of the SDL on Microsoft SQL Server

Following on from my recent post about Windows Vista security and the SDL, a number of people have...

Author: Michael Howard Date: 03/06/2008

Some thoughts about Windows Server 2008

Windows Server 2008 has shipped! And a fine product it is, too! Windows Server 2008 is the first...

Author: Michael Howard Date: 03/04/2008

The First Step on the Road to More Secure Software is admitting you have a Problem

I just wrote an article over on the SDL blog about my observations from the industry to Jeff Jones'...

Author: Michael Howard Date: 02/21/2008

FAQ about HeapSetInformation in Windows Vista and Heap Based Buffer Overruns

2/19 - Added some Minor Tweaks Perhaps it's the phase of the moon or something, but over the last...

Author: Michael Howard Date: 02/18/2008

Introducing SAFECode

Today SAFECode, the Software Assurance Forum for Excellence in Code, introduced its first white...

Author: Michael Howard Date: 02/14/2008

More trustworthy election systems via SDL?

My colleague Eric Bidstrup has just posted a thought provoking article on the SDL blog about...

Author: Michael Howard Date: 02/06/2008

New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008

In the interests of helping secure the platform, we want more people to opt-in to using Data...

Author: Michael Howard Date: 01/29/2008

My Daughter will never be a Spy

My kids are desperate for pets; my six-year old son wants a dog (note, a dog, not a puppy!) and my...

Author: Michael Howard Date: 01/20/2008

Next>