My Security Planet » Michael Howard's Web Log http://rgaucher.info/planet/ My Security Planet » Michael Howard's Web Log Gregarius 0.5.4 en Michael Howard's Web Log: Security Sessions at TechEd in Australia and New Zealand http://blogs.msdn.com/michael_howard/archive/2009/09/06/security-sessions-at-teched-in-australia-and-new-zealand.aspx Sun, 06 Sep 2009 15:20:00 -0500 http://blogs.msdn.com/michael_howard/archive/2009/09/06/security-sessions-at-teched-in-australia-and-new-zealand.aspx I'm heading to TechEd Oz and NZ in a couple of hours to present the following:

SEC312  The "Everything Developers Need to Know About Security" Talk 
  • Oz: 9/10/2009 15:30-16:45 
  • NZ: 9/14/2009 14:15-15:30
SEC201  Inside the Microsoft Security Development Lifecycle: And how you can use it!  
  • Oz: 9/10/2009 11:30-12:45 
  • NZ: 9/15/2009 12:10-13:25

I'm also giving a couple of half-day SDL workshops:

SDL Workshop
  • Oz: 9/11/2009 (I'll update once I get the time!)
  • NZ: 9/13/2009  10:20 - 13:00

If you cannot make it to TechEd this year, a number of sessions, including SEC201 will be made available through Live Meeting. More info here.

]]> Michael Howard's Web Log: ATL, MS09-035 and the SDL http://blogs.msdn.com/michael_howard/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx Tue, 28 Jul 2009 12:43:00 -0500 http://blogs.msdn.com/michael_howard/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx [blogs.msdn.com] ]]> Michael Howard's Web Log: Integrating the SDL process into Visual Studio http://blogs.msdn.com/michael_howard/archive/2009/05/19/integrating-the-sdl-process-into-visual-studio.aspx Tue, 19 May 2009 11:53:27 -0500 http://blogs.msdn.com/michael_howard/archive/2009/05/19/integrating-the-sdl-process-into-visual-studio.aspx I’ve been a firm believer of integrating as much security tooling as possible into the development process so developers can get on with developing code and designing solutions rather than having to constantly think about dotting the security “i”s and crossing the security “t”s.

The less security “friction” the better, because the more you can automate the more progress you can make.

Jeremy Dallman has just announced that we have released the Microsoft SDL Process Template for Visual Studio Team System, and yes, it’s free.

I think this is a huge step forward because now software development teams outside of Microsoft can more easily track their adherence to the SDL.

Technorati Tags: SDL,Tools ]]> Michael Howard's Web Log: A Conversation About Threat Modeling http://blogs.msdn.com/michael_howard/archive/2009/05/01/a-conversation-about-threat-modeling.aspx Fri, 01 May 2009 09:29:00 -0500 http://blogs.msdn.com/michael_howard/archive/2009/05/01/a-conversation-about-threat-modeling.aspx This was fun to write; in fact, other than minor edits I wrote it in a single two hour sitting with my laptop by the pool :)

[msdn.microsoft.com]

]]> Michael Howard's Web Log: Ken Johnson (Skywing) joins Microsoft http://blogs.msdn.com/michael_howard/archive/2009/03/24/ken-johnson-skywing-joins-microsoft.aspx Tue, 24 Mar 2009 17:27:00 -0500 http://blogs.msdn.com/michael_howard/archive/2009/03/24/ken-johnson-skywing-joins-microsoft.aspx Following close on the heels of security experts Matt Miller, Adam Shostack and Crispin Cowan joining Microsoft, I am pleased to announce that Ken Johnson, AKA Skywing, has joined our group.

 

Ken brings an enormous amount of reverse engineering and defense-subversion skill to Microsoft. Ken will be working on anything and everything related vulnerabilities, exploits, defenses, bypassing defenses and more. Ken also maintains a blog on debugging, reverse engineering, and security-related topics (along with various personal projects) at: http://www.nynaeve.net.

 

Welcome, Ken!

]]> Michael Howard's Web Log: Free Download: Writing Secure Code for Windows Vista http://blogs.msdn.com/michael_howard/archive/2008/12/30/free-download-writing-secure-code-for-windows-vista.aspx Tue, 30 Dec 2008 22:07:00 -0600 http://blogs.msdn.com/michael_howard/archive/2008/12/30/free-download-writing-secure-code-for-windows-vista.aspx "For 25 years, Microsoft Press books have focused on helping you take your skills and knowledge to the next level. Celebrate our 25th Anniversary with a "Free E-Book of the Month" offer! Simply sign up for the Microsoft Press Book Connection Newsletter for notification of offers, register, and download the selection of the month."

[csna01.libredigital.com]

:)

]]> Michael Howard's Web Log: Secure software development practices 'not rocket science' http://blogs.msdn.com/michael_howard/archive/2008/12/08/secure-software-development-practices-not-rocket-science.aspx Mon, 08 Dec 2008 16:09:00 -0600 http://blogs.msdn.com/michael_howard/archive/2008/12/08/secure-software-development-practices-not-rocket-science.aspx [searchsoftwarequality.techtarget.com]# ]]> Michael Howard's Web Log: A Proactive Approach to Building a Successful Security Development Lifecycle Program http://blogs.msdn.com/michael_howard/archive/2008/11/19/a-proactive-approach-to-building-a-successful-security-development-lifecycle-program.aspx Wed, 19 Nov 2008 19:49:00 -0600 http://blogs.msdn.com/michael_howard/archive/2008/11/19/a-proactive-approach-to-building-a-successful-security-development-lifecycle-program.aspx At this point most of you have heard about the Microsoft SDL and some of activities and deliverables associated with it.

However, I still receive a number of questions, specifically, how and where development organizations can start deploying SDL.

Good news!  

One of the new Microsoft SDL Pro Network members, Security Innovation, has invited me to address this and other SDL questions at an upcoming webcast titled “A Proactive Approach to Building a Successful Security Development Lifecycle Program.”

SI also invited Jon Oltsik, an analyst from the Enterprise Strategy Group, to present his point of view on the value of the SDL to development organizations.  It should be an interesting event, and will hopefully answer many of the questions I have received from the field.  If we don’t address your questions during our presentations, there is going to be Q&A at the end …
 
If you are interested in attending this live web event, it is going to take place TOMORROW Thursday, November 20th, at 1:00pm ET, and you can register for it here.  

Hope you can make it!

]]> Michael Howard's Web Log: Improvements in Office Security http://blogs.msdn.com/michael_howard/archive/2008/11/17/improvements-in-office-security.aspx Mon, 17 Nov 2008 22:59:00 -0600 http://blogs.msdn.com/michael_howard/archive/2008/11/17/improvements-in-office-security.aspx David LeBlanc has an excellent write-up of the results (so far) of all the security work the Office guys have been doing over the last few years.

Net: about a 50% reduction in vulns!

]]> Michael Howard's Web Log: Volume 5 of the Microsoft Security Intelligence Report is out http://blogs.msdn.com/michael_howard/archive/2008/11/03/volume-5-of-the-microsoft-security-intelligence-report-is-out.aspx Mon, 03 Nov 2008 08:16:00 -0600 http://blogs.msdn.com/michael_howard/archive/2008/11/03/volume-5-of-the-microsoft-security-intelligence-report-is-out.aspx now out, highlights include:
  • Security vulnerability disclosures - Microsoft and third-party software
  • Vulnerability Exploits – Microsoft software
  • Browser-based exploits - Microsoft and third-party software
  • Security and privacy breaches
  • Malicious and potentially unwanted software trends

Volume 5 of the SIR also includes a detailed examination of the threat ecosystem which explains how threats propagate across the internet, how users become infected and the resultant impact on privacy and identity theft.

 

The one item that stood out for me was the move from successfully attacking Microsoft applications and browser objects to attacking and compromising 3rd-party applictions and browser objects.

]]>