Browse by Tags
All Tags »
SDL (RSS)
Jeremy Dallman here with the final piece of my multi-part series on “Walking” with the Security Development Lifecycle (SDL) [ Part 1 , Part 2 , Part 3 ]. So far I have discussed getting management approval, expanding security training, formalizing security
Read More...
Jeremy Dallman here. This is Part Three in my multi-part series on “Walking” with the Security Development Lifecycle (SDL) [ Part 1 , Part 2 ]. So far I have discussed getting management approval and expanding security training. In this post I will discuss
Read More...
Jeremy Dallman here with Part Two in my series on “Walking” with the SDL. In Part One , I provided a snapshot of “Crawling” and discussed getting management approval. In Part Two, I will cover a couple more “Walk” components: expanding security training
Read More...
Jeremy Dallman here. Back in March I wrote a post about “Crawling” Toward SDL . I used the imagery of learning to “crawl, walk and run” as a way to provide some basic starting points that would move your organization toward implementing a version of Microsoft’s
Read More...
Hi, this week is a post from Michael Howard and Laura Machado de Wright, who both attended and presented at TechEd 2008 in Orlando the week of June 2 nd . First up is Laura. I have been a Security Program Manager for the last 3 years, working as a security
Read More...
Hello, Michael here... You may have read recently about a large number of Web servers that were compromised through a SQL injection attack. The malicious SQL payload is very well designed, somewhat database schema agnostic and generic so it could compromise
Read More...
Hello, Michael here. A colleague sent me a link to a blog post from a couple of days ago: Pete Lindstrom of Burton Group blogged that Microsoft's SDL has Saved the World!! raising concerns about Microsoft using vulnerability counts as a means to measure
Read More...
Hi, Michael here. I am always bemused when Jeff Jones performs in-depth security vulnerability analysis and reports his findings , not because of the content of his findings, but because of the incredible arm-chair commentary that follows. Jeff and I
Read More...
Hi, Michael here. I'm always asked "How can you claim the SDL is working when Microsoft still issues security updates?" So I want to make sure people understand the goals of the SDL and perhaps more importantly, the non-goals. There are three major security-related
Read More...
I’d like to talk about the STRIDE per element chart in the sixth post of my threat modeling series. I’d like to talk about where it’s from, some of the issues that come with that heritage, and how you might customize it in your own
Read More...
Adam again. I hope you’re still enjoying this as we hit #5 in the threat modeling series. In my last post, I talked about how almost everyone in software draws on whiteboards regularly, and this makes it an ideal first step. It’s an ideal
Read More...
Adam Shostack here, with part four of my threat modeling series. This post is a little less philosophical and a lot more prescriptive than the one about flow. It explains exactly how and why I changed a couple of elements of the process. The first is
Read More...
Adam Shostack again, with the third in our series on threat modeling. In this post, I want to explain one of the ‘lenses’ that seemed to help us focus threat modeling, and how I’ve applied it. The concept of flow originated with Mihaly Csikszentmihalyi.
Read More...
Adam Shostack here, with the second post in my series on the evolved threat modeling process. To summarize, what I’ve tried to achieve in changing the process is to simplify, prescribe, and offer self-checks. I’ll talk in the next post about
Read More...
Adam Shostack here. I said recently that I wanted to talk more about what I do. The core of what I do is help Microsoft’s product teams analyze the security of their designs by threat modeling. So I’m very concerned about how well we threat model, and
Read More...
