Welcome to MSDN Blogs Sign in | Join | Help

News

Browse by Tags

All Tags » SDL   (RSS)
ATL, MS09-035 and the SDL
Hello, Michael here. <updated: 7/31 - changed the compiler 'warning' to 'error'> Today, the Microsoft Security Response Center (MSRC) released two out-of-band security bulletins, MS09-034 and MS09-035 , and a Security Advisory , to address security Read More...
A Declspec SAL to Attribute SAL Rosetta Stone
Hi, Michael here. A while back I wrote a blog post explaining the Standard Annotation Language (SAL) which is a technology we use to help static analysis tools find more bugs, including security vulnerabilities, in C and C++ code. If you look closely Read More...
New SDL Pro Network Members: SANS and SAIC
When I joined the SDL team last fall, the SDL Pro Network had launched as a one-year pilot program . Upon returning from maternity leave, I took over management of the SDL Pro Network. I have been working on formalizing the program in order to bring it Read More...
Please Join me in welcoming memcpy() to the SDL Rogues Gallery
Over the last few years I have written a number of articles, papers and books describing some of the dangers of using various buffer-manipulating C runtime functions. Well-known examples of bad function calls include strcpy(), strcat(), strncpy(), strncat(), Read More...
Posted: Thursday, May 14, 2009 2:41 PM by sdl | 9 Comments
Filed under:
The Open Source Quality Challenge
Steve Lipner here, Steve Bellovin, one of the pioneers of Internet security wrote a blog post about security, open source, and secure development process. It's worth reading if you're an open source fan, or if you're not. My one quibble is that Steve Read More...
Posted: Friday, May 01, 2009 7:02 AM by sdl | 2 Comments
Filed under:
Security Development Processes and Transparency
Hi, Michael here, The following article, ” Major software makers fail security transparency test ” caught my eye this morning, because it covers a topic of great interest to me ; : companies documenting their security and privacy-related software development Read More...
You Can’t Outrun the Bear, so Let’s Make a Deal
Hello, Michael Weiss here. Nothing like having two Michaels around to confuse everyone. At least there are only two here. On a previous team, I was one of five Michaels. Over the next several weeks, I’ll be posting a series of entries to help explain Read More...
MS08-078 and the SDL
Hi, Michael here. Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception. The Common Vulnerabilities and Exposures (CVE) entry for this bug is CVE-2008-4844 . Read More...
Secure Coding Secrets?
Hi, Michael here. A recent article titled "NSA posts secrets to writing secure code" caught my eye in part because the words " writing secure code " always get my attention! But also because anything that can advance the science of securing software is Read More...
MS08-067 and the SDL
Hi, Michael here. No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape Read More...
Good hygiene and Banned APIs
Jeremy Dallman here with a quick note about a code sanitizing tool we are making available to support one of the SDL requirements – Remove all Banned APIs from your code. This requirement was put in place to prevent use of certain older C runtime functions Read More...
Security is bigger than finding and fixing bugs
I’ve been catching up on various security-related articles that I’ve been meaning to read, and the following article was on the list http://www.itnews.com.au/News/73635,google-shares-its-security-secrets.aspx about Google’s “security secrets.” Quoting Read More...
Improve Security with "A Layer of Hurt"
Hello, Michael here. I got a lot of interesting comments from my TechEd 2008 presentation entitled, "How To Review Your Code And Test For Security Bugs," but the most comments and questions were reserved for fuzz testing; I was blown away by the number Read More...
Wrapping up "Walking" with the SDL
Jeremy Dallman here. Before we move on with our regularly-scheduled programming here at the SDL blog, I wanted to pull all of the “Walking with the SDL” blog posts into a single document to put it all together in another format. You can find that document Read More...
"Walking" with the SDL - Part 4
Jeremy Dallman here with the final piece of my multi-part series on “Walking” with the Security Development Lifecycle (SDL) [ Part 1 , Part 2 , Part 3 ]. So far I have discussed getting management approval, expanding security training, formalizing security Read More...
More Posts Next page »
Page view tracker