The Security Development Lifecycle
 
Showing 1-10 of 41 records
 
Expand article

Security Thoughts from TechEd 2008

2008-06-26 15:07:00 by sdl in The Security Development Lifecycle
 
...information about the SDL. I did two main things at TechEd:, I presented on threat modeling, and I spent a lot of time talking to customers at the SDL booth. At the SDL booth, we heard questions ranging from "What does the SDL stand for?" to "Our Web site was hacked; how do I stop it from happening again?" It was encouraging hearing people...
 
 
 
 
 
Expand article

SQL Injection Defense Tools

2008-06-24 16:43:00 by sdl in The Security Development Lifecycle
 
...information, the Security Vulnerability Research and Defense blog has posted a more in-depth analysis of each of these tools. I recommend that you download both of the detection tools and test your applications against them. If either tool reports a vulnerability, I also recommend that you use URLScan 3.0 to block attacks while you fix the...
 
 
 
 
 
Expand article

SDL Threat Modeling: Past, Present and Future

The Article has images
2008-06-17 21:59:50 by sdl in The Security Development Lifecycle
Adam Shostack here I wanted to share my slides from the recent Layer One conference [link], where I talked about "SDL Threat Modeling: Past, Present and Future There are a few points that I wanted to emphasize. The first is that I'm talking about threat modeling from the perspective of the SDL. We have other threat modeling processes here at...
 
 
 
 
 
Expand article

Corrupted Heap Termination Redux

2008-06-07 04:00:00 by sdl in The Security Development Lifecycle
 
...Information correctly. In short there's an option when calling this function that will terminate your application if the heap manager detects some form of heap corruption, or the potential to cause heap corruption I would recommend you read the previous post before continuing You guessed it, the number one email I got after this post was,...
 
 
 
 
 
Expand article

SQL Injection Follow-up

2008-05-30 15:58:00 by sdl in The Security Development Lifecycle
 
...Security Vulnerability Research & Defense blog has just posted an analysis of the attack along with guidance recommendations for IT/database admins, web developers, and end users. Finally, if you are looking for classic ASP-specific (not ASP.NET) guidance, Bala Neerumalla has posted a detailed document on preventing SQL injection in ASP on MSDN
 
 
 
 
 
Expand article

SDL Training

2008-05-29 15:22:00 by sdl in The Security Development Lifecycle
 
...security guy is incredibly rewarding because you get to look at virtually any part of a product, from kernel drivers to web services to user education to sales and servicing. You have to do that because a failure in one of those areas can endanger the security of our customers. Microsofts SDL process reflects that reality. The process is...
 
 
 
 
 
Expand article

Giving SQL Injection the Respect it Deserves

2008-05-15 18:45:00 by sdl in The Security Development Lifecycle
 
Hello, Michael here You may have read recently about a large number of Web servers that were compromised through a SQL injection attack. The malicious SQL payload is very well designed, somewhat database schema agnostic and generic so it could compromise as many database servers as possible. While the attack was a SQL injection attack that...
 
 
 
 
 
Expand article

How Secure is Secure?

2008-05-08 16:46:00 by sdl in The Security Development Lifecycle
 
...security metrics , trying to objectively quantify and measure How secure is secure is far more difficult than one might think. Id like to share my perspective that there are two dimensions useful to consider when characterizing software security metrics: security functional requirements and security engineering quality requirements . While...
 
 
 
 
 
Expand article

SDL and the OWASP Top Ten

2008-05-01 15:46:00 by sdl in The Security Development Lifecycle
 
...Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access Looking at this list, we address Cross-Site Scripting issues in the SDL very thoroughly today: we have several XSS detection and prevention tools our...
 
 
 
 
 
Expand article

Crispin Cowan's Blog

2008-04-29 15:41:00 by sdl in The Security Development Lifecycle
 
Ralph here, I wanted to let everyone know that Crispin Cowan has just started his own blog . Keep an eye on it for some great posts in the future