Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » SDL   (RSS)
"Walking" with the SDL - Part 4
Jeremy Dallman here with the final piece of my multi-part series on “Walking” with the Security Development Lifecycle (SDL) [ Part 1 , Part 2 , Part 3 ]. So far I have discussed getting management approval, expanding security training, formalizing security Read More...
"Walking" with the SDL - Part 3
Jeremy Dallman here. This is Part Three in my multi-part series on “Walking” with the Security Development Lifecycle (SDL) [ Part 1 , Part 2 ]. So far I have discussed getting management approval and expanding security training. In this post I will discuss Read More...
“Walking” with the SDL – Part 2
Jeremy Dallman here with Part Two in my series on “Walking” with the SDL. In Part One , I provided a snapshot of “Crawling” and discussed getting management approval. In Part Two, I will cover a couple more “Walk” components: expanding security training Read More...
"Walking" with the SDL - Part 1
Jeremy Dallman here. Back in March I wrote a post about “Crawling” Toward SDL . I used the imagery of learning to “crawl, walk and run” as a way to provide some basic starting points that would move your organization toward implementing a version of Microsoft’s Read More...
Security Thoughts from TechEd 2008
Hi, this week is a post from Michael Howard and Laura Machado de Wright, who both attended and presented at TechEd 2008 in Orlando the week of June 2 nd . First up is Laura. I have been a Security Program Manager for the last 3 years, working as a security Read More...
Giving SQL Injection the Respect it Deserves
Hello, Michael here... You may have read recently about a large number of Web servers that were compromised through a SQL injection attack. The malicious SQL payload is very well designed, somewhat database schema agnostic and generic so it could compromise Read More...
Oh No! Security Metrics!
Hello, Michael here. A colleague sent me a link to a blog post from a couple of days ago: Pete Lindstrom of Burton Group blogged that Microsoft's SDL has Saved the World!! raising concerns about Microsoft using vulnerability counts as a means to measure Read More...
Posted: Friday, April 18, 2008 5:43 AM by sdl | 6 Comments
Filed under:
The First Step on the Road to More Secure Software is admitting you have a Problem
Hi, Michael here. I am always bemused when Jeff Jones performs in-depth security vulnerability analysis and reports his findings , not because of the content of his findings, but because of the incredible arm-chair commentary that follows. Jeff and I Read More...
Security is not all about Security Updates
Hi, Michael here. I'm always asked "How can you claim the SDL is working when Microsoft still issues security updates?" So I want to make sure people understand the goals of the SDL and perhaps more importantly, the non-goals. There are three major security-related Read More...
The STRIDE per Element Chart
I’d like to talk about the STRIDE per element chart in the sixth post of my threat modeling series. I’d like to talk about where it’s from, some of the issues that come with that heritage, and how you might customize it in your own Read More...
Threat Modeling Self Checks and Rules of Thumb
Adam again. I hope you’re still enjoying this as we hit #5 in the threat modeling series. In my last post, I talked about how almost everyone in software draws on whiteboards regularly, and this makes it an ideal first step. It’s an ideal Read More...
Making Threat Modeling Work Better
Adam Shostack here, with part four of my threat modeling series. This post is a little less philosophical and a lot more prescriptive than the one about flow. It explains exactly how and why I changed a couple of elements of the process. The first is Read More...
Getting into the Flow With Threat Modeling
Adam Shostack again, with the third in our series on threat modeling. In this post, I want to explain one of the ‘lenses’ that seemed to help us focus threat modeling, and how I’ve applied it. The concept of flow originated with Mihaly Csikszentmihalyi. Read More...
The New Threat Modeling Process
Adam Shostack here, with the second post in my series on the evolved threat modeling process. To summarize, what I’ve tried to achieve in changing the process is to simplify, prescribe, and offer self-checks. I’ll talk in the next post about Read More...
The Trouble with Threat Modeling
Adam Shostack here. I said recently that I wanted to talk more about what I do. The core of what I do is help Microsoft’s product teams analyze the security of their designs by threat modeling. So I’m very concerned about how well we threat model, and Read More...
Page view tracker