Browse by Tags
All Tags »
SDL (RSS)
Hello, Michael here. <updated: 7/31 - changed the compiler 'warning' to 'error'> Today, the Microsoft Security Response Center (MSRC) released two out-of-band security bulletins, MS09-034 and MS09-035 , and a Security Advisory , to address security
Read More...
Hi, Michael here. A while back I wrote a blog post explaining the Standard Annotation Language (SAL) which is a technology we use to help static analysis tools find more bugs, including security vulnerabilities, in C and C++ code. If you look closely
Read More...
When I joined the SDL team last fall, the SDL Pro Network had launched as a one-year pilot program . Upon returning from maternity leave, I took over management of the SDL Pro Network. I have been working on formalizing the program in order to bring it
Read More...
Over the last few years I have written a number of articles, papers and books describing some of the dangers of using various buffer-manipulating C runtime functions. Well-known examples of bad function calls include strcpy(), strcat(), strncpy(), strncat(),
Read More...
Steve Lipner here, Steve Bellovin, one of the pioneers of Internet security wrote a blog post about security, open source, and secure development process. It's worth reading if you're an open source fan, or if you're not. My one quibble is that Steve
Read More...
Hi, Michael here, The following article, ” Major software makers fail security transparency test ” caught my eye this morning, because it covers a topic of great interest to me ; : companies documenting their security and privacy-related software development
Read More...
Hello, Michael Weiss here. Nothing like having two Michaels around to confuse everyone. At least there are only two here. On a previous team, I was one of five Michaels. Over the next several weeks, I’ll be posting a series of entries to help explain
Read More...
Hi, Michael here. Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception. The Common Vulnerabilities and Exposures (CVE) entry for this bug is CVE-2008-4844 .
Read More...
Hi, Michael here. A recent article titled "NSA posts secrets to writing secure code" caught my eye in part because the words " writing secure code " always get my attention! But also because anything that can advance the science of securing software is
Read More...
Hi, Michael here. No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape
Read More...
Jeremy Dallman here with a quick note about a code sanitizing tool we are making available to support one of the SDL requirements – Remove all Banned APIs from your code. This requirement was put in place to prevent use of certain older C runtime functions
Read More...
I’ve been catching up on various security-related articles that I’ve been meaning to read, and the following article was on the list http://www.itnews.com.au/News/73635,google-shares-its-security-secrets.aspx about Google’s “security secrets.” Quoting
Read More...
Hello, Michael here. I got a lot of interesting comments from my TechEd 2008 presentation entitled, "How To Review Your Code And Test For Security Bugs," but the most comments and questions were reserved for fuzz testing; I was blown away by the number
Read More...
Jeremy Dallman here. Before we move on with our regularly-scheduled programming here at the SDL blog, I wanted to pull all of the “Walking with the SDL” blog posts into a single document to put it all together in another format. You can find that document
Read More...
Jeremy Dallman here with the final piece of my multi-part series on “Walking” with the Security Development Lifecycle (SDL) [ Part 1 , Part 2 , Part 3 ]. So far I have discussed getting management approval, expanding security training, formalizing security
Read More...
