The Security Development Lifecycle
 
Showing 1-10 of 41 records
 
Expand article

Security Thoughts from TechEd 2008

2008-06-26 15:07:00 by sdl in The Security Development Lifecycle
 
...information about the SDL. I did two main things at TechEd:, I presented on threat modeling, and I spent a lot of time talking to customers at the SDL booth. At the SDL booth, we heard questions ranging from "What does the SDL stand for?" to "Our Web site was hacked; how do I stop it from happening again?" It was encouraging hearing people...
 
Tags: security, numerous developer questions, questions, highly specific questions, requirements, security knowledge, sdl requirements, maturity, security maturity
 
 
 
 
Expand article

SQL Injection Defense Tools

2008-06-24 16:43:00 by sdl in The Security Development Lifecycle
 
...information, the Security Vulnerability Research and Defense blog has posted a more in-depth analysis of each of these tools. I recommend that you download both of the detection tools and test your applications against them. If either tool reports a vulnerability, I also recommend that you use URLScan 3.0 to block attacks while you fix the...
 
Tags: source code, complete source code, tools, source, source-code analysis tools, defense, sql injection defense, detection tools, sql injection
 
 
 
 
Expand article

SDL Threat Modeling: Past, Present and Future

The Article has images
2008-06-17 21:59:50 by sdl in The Security Development Lifecycle
Adam Shostack here I wanted to share my slides from the recent Layer One conference [link], where I talked about "SDL Threat Modeling: Past, Present and Future There are a few points that I wanted to emphasize. The first is that I'm talking about threat modeling from the perspective of the SDL. We have other threat modeling processes here at...
 
Tags: sdl threat, sdl, threat, slides, lots, conference link, future, past, address
 
 
 
 
Expand article

Corrupted Heap Termination Redux

2008-06-07 04:00:00 by sdl in The Security Development Lifecycle
 
...Information correctly. In short there's an option when calling this function that will terminate your application if the heap manager detects some form of heap corruption, or the potential to cause heap corruption I would recommend you read the previous post before continuing You guessed it, the number one email I got after this post was,...
 
Tags: heap, free block list, block, handle, bogus heap handle, invalid, invalid heap, custom heap, block header
 
 
 
 
Expand article

SQL Injection Follow-up

2008-05-30 15:58:00 by sdl in The Security Development Lifecycle
 
...Security Vulnerability Research & Defense blog has just posted an analysis of the attack along with guidance recommendations for IT/database admins, web developers, and end users. Finally, if you are looking for classic ASP-specific (not ASP.NET) guidance, Bala Neerumalla has posted a detailed document on preventing SQL injection in ASP on MSDN
 
Tags: classic asp-specific, asp, sql injection, asp sites, security vulnerability research, guidance, guidance recommendations, bala neerumalla, web developers
 
 
 
 
Expand article

SDL Training

2008-05-29 15:22:00 by sdl in The Security Development Lifecycle
 
...security guy is incredibly rewarding because you get to look at virtually any part of a product, from kernel drivers to web services to user education to sales and servicing. You have to do that because a failure in one of those areas can endanger the security of our customers. Microsofts SDL process reflects that reality. The process is...
 
Tags: real behavior change, behavior, sdl, change peoples behavior, security, security guy, security defects, defects, security class
 
 
 
 
Expand article

Giving SQL Injection the Respect it Deserves

2008-05-15 18:45:00 by sdl in The Security Development Lifecycle
 
Hello, Michael here You may have read recently about a large number of Web servers that were compromised through a SQL injection attack. The malicious SQL payload is very well designed, somewhat database schema agnostic and generic so it could compromise as many database servers as possible. While the attack was a SQL injection attack that...
 
Tags: sql, sql injection bug, sql injection requirements, sql injection attack, sql server, sql execute-only permission, malicious sql payload, sql injection, sql injection vulnerability
 
 
 
 
Expand article

How Secure is Secure?

2008-05-08 16:46:00 by sdl in The Security Development Lifecycle
 
...security metrics , trying to objectively quantify and measure How secure is secure is far more difficult than one might think. Id like to share my perspective that there are two dimensions useful to consider when characterizing software security metrics: security functional requirements and security engineering quality requirements . While...
 
Tags: security metrics, software security metrics, implementation vulnerabilities, potential implementation vulnerabilities, metrics, secure, software, discretionary security protection, security protection
 
 
 
 
Expand article

SDL and the OWASP Top Ten

2008-05-01 15:46:00 by sdl in The Security Development Lifecycle
 
...Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access Looking at this list, we address Cross-Site Scripting issues in the SDL very thoroughly today: we have several XSS detection and prevention tools our...
 
Tags: security, web application security, top, security standpoint, list, previous list, agile development teams, development teams, security researcher
 
 
 
 
Expand article

Crispin Cowan's Blog

2008-04-29 15:41:00 by sdl in The Security Development Lifecycle
 
Ralph here, I wanted to let everyone know that Crispin Cowan has just started his own blog . Keep an eye on it for some great posts in the future
 
Tags: crispin cowan, blog, future, eye, ralph, posts