SecurityRatty: The Security Development Lifecycle

Introducing the InfoSec Assessment & Protection Suite

2009-11-19 16:48:19 by sdl in The Security Development Lifecycle

...Information Security Tools (IST) team has released the InfoSec Assessment & Protection (A&P) Suite . Its a suite made up of protection and assessment tools which include Web Protection Library (WPL) - an umbrella for several libraries and runtime modules including the Microsoft Anti-Cross Site Scripting Library v3.1 (Anti-XSS V3.1) and...

Tags: protection suite, suite, protection, infosec assessment, assessment, web protection library, library, tools, information security tools

Announcing SDL for Agile Development Methodologies

2009-11-10 15:52:43 by sdl in The Security Development Lifecycle

...security, and thats simply not an acceptable solution However, although none of these approaches solves the problem of adapting the SDL to Agile, that doesnt mean the task is impossible. Over the last year, a team of security professionals throughout the Trustworthy Computing Security and Online Services Security & Compliance teams (including...

Tags: sdl, guidance, complete sdl-agile guidance, complete, unnecessary sdl requirements, sdl requirements, sdl-agile breaks, requirements, sdl-agile describes

SDL at TechEd Europe and Platforma

2009-11-05 18:42:08 by sdl in The Security Development Lifecycle

...Security for Agile Projects Monday 11/9 9:00-10:15, Berlin 1 Hall 7-3a Platforma FF-206: The Microsoft Security Development Lifecycle Thursday 11/12 4:30-5:30, Red Congress-Hall Hope to see you there

Tags: platforma, sdl, microsoft platforma event, europe, microsofts approach, red congress-hall, agile projects, sdl-agile, hall 7-3a

SIR Volume 7 Released

2009-11-04 13:44:54 by sdl in The Security Development Lifecycle

...Security Intelligence Report (SIR) , which covers the first half of 2009. There are many interesting statistics in this report, but theres one that Id like to draw particular attention to: the number of industry-wide reported vulnerabilities as broken down by OS vulns vs. browser vulns vs. application vulns It is gratifying to see a sharp...

Tags: vulns, application vulns, browser vulns, report, security intelligence report, application vulnerabilities, vulnerabilities, bake security practices, half

Ninjas are cool, but engineers build bridges

2009-10-23 15:39:28 by sdl in The Security Development Lifecycle

...information about our many approaches over the years .Today, we have one authoritative site at microsoft.com/sdl which presents the most current guidance. We no longer use attack trees. Were working hard to speak clearly. Is it working for you? Let us know whats not clear. Yes, there are a lot of books and what-have-you that cant be updated,...

Tags: threat, sdl threat, threat models, threat enumeration checklists, sdl, sdl pro network, threat model, current sdl approach, current

MS09-050, SMBv2 and the SDL

2009-10-15 18:44:24 by sdl in The Security Development Lifecycle

...security vulnerability, I made a comment that I would continue to write these posts, but only for bugs that interested me. To be honest, all security bugs interest me, but this one really got me to sit up because its in new code For reference, the security update that fixes this is MS09-050 , and the bug is CVE-2009-2532 What makes the bug of...

Tags: vulnerable code, manual code review, code review, vulnerable code path, one-off bugs, bugs, security bugs, code, rfstable64 invalid item

Cross-Domain Security

2009-10-12 23:48:20 by sdl in The Security Development Lifecycle

...Security Researcher at Adobe, has written a guest post for the BlueHat blog on potential security issues with cross-domain access permissions for web sites. Id like to encourage you to read Peleus post and also to expand on it a little to talk about the SDL requirements around cross-domain access Normally, the Same Origin Policy prevents web...

Tags: cross-domain, cross-domain access permissions, access permissions, cross-domain privileges, cross-domain permissions, cross-domain attack, sdl cross-domain requirement, access, grant global access

Getting the Most for Your Security Investment

2009-10-05 23:39:54 by sdl in The Security Development Lifecycle

...security A few weeks ago, Microsoft and iSEC Partners published a joint whitepaper titled, Microsoft SDL: Return On Investment, and I'd like to highlight a contradiction the paper discusses between what return on investment numbers show and common industry practice. In many cases, we see companies spending most of their security budget on...

Tags: security, security practices, architectural security review, approach security, high-level security analysis, design, secure design, implementation vulnerabilities, vulnerabilities

Known issue: Using MiniFuzz on Windows XP or Server2003

2009-09-25 18:37:22 by sdl in The Security Development Lifecycle

Michael Howard here with a quick update on MiniFuzz File Fuzzer We have received sporadic reports that a few MiniFuzz users are encountering an issue when attempting to run MiniFuzz on Windows Server 2003 or Windows XP platforms. This is a known issue that results from some missing registry keys on Windows XP and Server 2003 that are present in...

Tags: minifuzz, minifuzz users, windows, minifuzz file fuzzer, issue, reg multi, reg, server, windows server

New and Improved AntiXss 3.1, Now With Sanitization

2009-09-23 20:39:00 by sdl in The Security Development Lifecycle

...Information Security Tools team is including the HTML sanitization functionality in the new public version of AntiXss (version 3.1) and releasing the entire library under the Ms-PL open source license. Lets take a quick look at how this functionality works and when you might want to use it When used correctly, output encoding is very...

Tags: antixss, html tags, tags, functionality, html sanitization functionality, safe html tags, microsoft antixss library, input, input sanitization

Your name:
Your email:
Describe a problem:
AntiSPAM Validation:

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo