Michael Howard's Web Log : Security

Security Sessions at TechEd in Australia and New Zealand

michael_HOWARD — Sun, 06 Sep 2009 23:20:00 GMT

I'm heading to TechEd Oz and NZ in a couple of hours to present the following:

SEC312 The "Everything Developers Need to Know About Security" Talk

Oz: 9/10/2009 15:30-16:45
NZ: 9/14/2009 14:15-15:30

SEC201 Inside the Microsoft Security Development Lifecycle: And how you can use it!

Oz: 9/10/2009 11:30-12:45
NZ: 9/15/2009 12:10-13:25

I'm also giving a couple of half-day SDL workshops:

SDL Workshop

Oz: 9/11/2009 (I'll update once I get the time!)
NZ: 9/13/2009 10:20 - 13:00

If you cannot make it to TechEd this year, a number of sessions, including SEC201 will be made available through Live Meeting. More info here.

ATL, MS09-035 and the SDL

michael_HOWARD — Tue, 28 Jul 2009 20:43:00 GMT

http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx

Integrating the SDL process into Visual Studio

michael_HOWARD — Tue, 19 May 2009 19:53:27 GMT

I’ve been a firm believer of integrating as much security tooling as possible into the development process so developers can get on with developing code and designing solutions rather than having to constantly think about dotting the security “i”s and crossing the security “t”s.

The less security “friction” the better, because the more you can automate the more progress you can make.

Jeremy Dallman has just announced that we have released the Microsoft SDL Process Template for Visual Studio Team System, and yes, it’s free.

I think this is a huge step forward because now software development teams outside of Microsoft can more easily track their adherence to the SDL.

Technorati Tags: SDL,Tools

A Conversation About Threat Modeling

michael_HOWARD — Fri, 01 May 2009 17:29:00 GMT

This was fun to write; in fact, other than minor edits I wrote it in a single two hour sitting with my laptop by the pool :)

http://msdn.microsoft.com/en-us/magazine/dd727503.aspx

Ken Johnson (Skywing) joins Microsoft

michael_HOWARD — Wed, 25 Mar 2009 01:27:00 GMT

Following close on the heels of security experts Matt Miller, Adam Shostack and Crispin Cowan joining Microsoft, I am pleased to announce that Ken Johnson, AKA Skywing, has joined our group.

Ken brings an enormous amount of reverse engineering and defense-subversion skill to Microsoft. Ken will be working on anything and everything related vulnerabilities, exploits, defenses, bypassing defenses and more. Ken also maintains a blog on debugging, reverse engineering, and security-related topics (along with various personal projects) at: http://www.nynaeve.net.

Welcome, Ken!

Free Download: Writing Secure Code for Windows Vista

michael_HOWARD — Wed, 31 Dec 2008 07:07:00 GMT

"For 25 years, Microsoft Press books have focused on helping you take your skills and knowledge to the next level. Celebrate our 25th Anniversary with a "Free E-Book of the Month" offer! Simply sign up for the Microsoft Press Book Connection Newsletter for notification of offers, register, and download the selection of the month."

http://csna01.libredigital.com/?urrs4gt63d

Secure software development practices 'not rocket science'

michael_HOWARD — Tue, 09 Dec 2008 01:09:00 GMT

http://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1340940,00.html#

Improvements in Office Security

michael_HOWARD — Tue, 18 Nov 2008 07:59:00 GMT

David LeBlanc has an excellent write-up of the results (so far) of all the security work the Office guys have been doing over the last few years.

Net: about a 50% reduction in vulns!

Volume 5 of the Microsoft Security Intelligence Report is out

michael_HOWARD — Mon, 03 Nov 2008 17:16:00 GMT

Volume 5 of the Microsoft Security Intelligence Report is now out, highlights include:

Security vulnerability disclosures - Microsoft and third-party software
Vulnerability Exploits – Microsoft software
Browser-based exploits - Microsoft and third-party software
Security and privacy breaches
Malicious and potentially unwanted software trends

Volume 5 of the SIR also includes a detailed examination of the threat ecosystem which explains how threats propagate across the internet, how users become infected and the resultant impact on privacy and identity theft.

The one item that stood out for me was the move from successfully attacking Microsoft applications and browser objects to attacking and compromising 3rd-party applictions and browser objects.

Security-Related MSDN Magazine Articles

michael_HOWARD — Tue, 28 Oct 2008 21:38:00 GMT

Bryan Sullivan and I wrote a couple of articles for this month's MSDN Magazine. If you're not aware, November focuses on Security.

The two articles are:

Test Your Security IQ

Threat Models Improve Your Security Process

And there's the Agile SDL paper than I already mentioned.

Agile SDL

michael_HOWARD — Tue, 28 Oct 2008 21:35:00 GMT

Over the last year or so, a bunch of us in the SDL team have been working with agile groups across Microsoft to help streamline the SDL for agile methods. Bryan Sullivan wrote a paper for MSDN Magazine explaining where our current throughts lie. Clearly this is just the start, we have some more work to do, but we thought it would be worthwhile putting our ideas out there to get feedback and comments.

SAFECode releases "Fundamental Practices for Secure Software Development" document

michael_HOWARD — Wed, 08 Oct 2008 20:04:00 GMT

Today, SAFECode released an important document entitled, “Fundamental Practices for Secure Software Development” aimed at helping software producers create more secure software.

The document is unique in that it describes what SAFECode members are doing in practice to raise the security bar; it’s not a theoretical or academic document.

I believe the fact that it describes what’s used in practice is what makes the document important because it means the ideas in the document can be implemented in the real world regardless of the type of software under development.

So take a look, and let me know what you think.

Updated: first review from InfoWorld.

Practical Defense in Depth

michael_HOWARD — Fri, 26 Sep 2008 22:50:00 GMT

Crosstalk has published an article for mine regarding how we use Defense in Depth within the SDL, and in Microsoft in general.

SDL Evolution

michael_HOWARD — Wed, 17 Sep 2008 07:02:00 GMT

UPDATED: Added IOActive post

As many of you have seen today, there's been plenty of press about us opening up the SDL for use by other software developers and releasing our threat modeling tool. For those of you who have no clue what the heck I'm talking about, here are a handful of articles about what happened today:

Microsoft becomes high priest of secure software development (C|Net)
Microsoft looks to spread secure software expertise (Computerworld)
Microsoft to Share Its Secure Development Blueprint, Threat Modeling Tool (Dark Reading)

I'm not sure about the "High Priest" moniker, but what the heck :)

Cigital also blogged about the event, most notably the SDL Pro Network, and IOActive posted some comments too.

I'm really excited to see the SDL move forward and most importantly, outward. We have learned a great deal about what it takes to make steps toward securing software. We don't expect perfection, but if more people embrace some of the principles we define in the SDL, and we have experienced and knowledgable partners scale the effort, I think the IT world will be a substantially more secure place.

-Michael

GOOG Chrome's use of NX/DEP

michael_HOWARD — Mon, 15 Sep 2008 17:18:00 GMT

Scott Hanselman has a look under Chrome's hood and how it uses the new NX/DEP APIs we added to Windows.

Scroll about halfway down the article.