Browse by Tags
The Information Security Tools (IST) team has released the InfoSec Assessment & Protection (A&P) Suite . It’s a suite made up of protection and assessment tools which include: Web Protection Library (WPL) - an umbrella for several libraries and
Read More...
Hi everyone, Bryan here. There is a common misconception that because the SDL was originally created for Microsoft’s big showcase box products like Windows and SQL Server, that it only works for those kinds of products. This is of course patently false:
Read More...
Hi everyone, Bryan here. I’m going to be presenting two sessions on the SDL next week, one for TechEd Europe and one for the Microsoft Platforma event in Moscow. If you’re attending either of these conferences, stop by and introduce yourself, or better
Read More...
Hi everyone, Bryan here. Earlier this week, Microsoft released the latest volume of the Security Intelligence Report (SIR) , which covers the first half of 2009. There are many interesting statistics in this report, but there’s one that I’d like to draw
Read More...
Cory at Matasano has a new blog post explaining “Ninja threat modeling.” Ninja threat modeling is Matasano’s approach to threat modeling as part of a penetration test. I’m really happy that they’ve given their approach a name. A few years back, we would
Read More...
10/20/2009: Updated with correct CVE - thanks to Matthieu Suiche for pointing this out to me. Hi, Michael here. When I wrote the first analysis of why the SDL had missed a security vulnerability, I made a comment that I would continue to write these posts,
Read More...
Hi everyone, Bryan here. Peleus Uhley, Senior Security Researcher at Adobe, has written a guest post for the BlueHat blog on potential security issues with cross-domain access permissions for web sites. I’d like to encourage you to read Peleus’ post and
Read More...
Hi everyone, this is Eleanor Saitta with iSEC Partners , with a brief post about return on investment and structured security. A few weeks ago, Microsoft and iSEC Partners published a joint whitepaper titled, “Microsoft SDL: Return On Investment”, and
Read More...
Michael Howard here with a quick update on MiniFuzz File Fuzzer . We have received sporadic reports that a few MiniFuzz users are encountering an issue when attempting to run MiniFuzz on Windows Server 2003 or Windows XP platforms. This is a known issue
Read More...
Hi everyone, Bryan here. As we’ve talked about on this blog many times in the past, the SDL requires the use of the Microsoft AntiXss library to defend against cross-site scripting attacks. However, we haven’t talked about the fact that until now, there
Read More...
Jeremy Dallman here to announce the release of two new security tools that will help you test and verify the security of your software – and meet some of the most critical requirements of the SDL. In addition, we are responding to customer requests and
Read More...
Hi, this is Johannes Ullrich from SANS. As CTO of the SANS Internet Storm Center www.isc.sans.org , I lead the development of complex and exposed applications. Recently, SANS www.sans.org became a member of the SDL Pro Network . I am happy that I will
Read More...
Adam here. I’ve learned to love STRIDE as a framework for thinking about threats, but it makes a lousy classification system. That is, I can look at a system to find information disclosure threats, but once I have an attack that leaks, say, the location
Read More...
Hi, Bryan here. For any of you that might not have seen the movie Sneakers , I’ll try to not spoil the plot completely for you, but the main storyline revolves around a “little black box” that a scientist has developed that can automatically defeat asymmetric
Read More...
Hello, Michael here. A word of warning, this is purely an “FYI” post that has very little to do with SDL policy! I get this question, “How do I call various SDL-mandated APIs before my code starts?” about once a month, so I decided to write about it so
Read More...
