Security Briefs - A Follow-on Conversation about Threat Modeling
Fri, 14 Aug 2009 10:00:00 GMT
This article explores the use of threat modeling to address security concerns in your applications.
Security Briefs - A Conversation About Threat Modeling
Mon, 20 Apr 2009 10:00:00 GMT
Listen in on a chat between a developer and security pro that delves into some of the major Security Development Lifecycle (SDL) requirements we impose on product teams here at Microsoft
Security Briefs - Threat Models Improve Your Security Process
Thu, 23 Oct 2008 10:00:00 GMT
Using threat models to drive your security engineering process helps prioritize the code review, fuzz testing, and attack surface analysis tasks.
Security Briefs - Protecting Your Code with Visual C++ Defenses
Wed, 20 Feb 2008 10:00:00 GMT
Michael Howard outlines some of the buffer overrun defenses available in Visual C++ 2005 and beyond.
Trustworthy Computing - Lessons Learned from Five Years of Building More Secure Software
Fri, 28 Sep 2007 10:00:00 GMT
Five years ago, Bill Gates issued a directive to enhance security across the board. Since then, many valuable lessons have been learned about building more secure software.
Secure Habits - 8 Simple Rules For Developing More Secure Code
Thu, 12 Oct 2006 10:00:00 GMT
Never trust data, model threats against your code, and other good advice from a security expert.
How Do They Do It? - A Look Inside the Security Development Lifecycle at Microsoft
Tue, 11 Oct 2005 10:00:00 GMT
In this article, Microsoft security expert Michael Howard outlines how to apply the Security Development Lifecycle to your own software development processes. He explains how you can take some of the lessons learned at Microsoft when implementing SDL and use them in your own development process.
Attack Surface - Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users
Tue, 19 Oct 2004 10:00:00 GMT
In this article, Microsoft security expert Michael Howard discusses the cardinal rules of attack surface reduction. His rules - reduce the amount of code executing by default, reduce the volume of code that is accessible to untrusted users by default, and limit the damage if the code is exploited - are explained along with the techniques to apply the rules to your code.
Review It - Expert Tips for Finding Security Defects in Your Code
Tue, 14 Oct 2003 10:00:00 GMT
Reviewing code for security defects is a key ingredient in the software creation process, ranking alongside planning, design, and testing. Here the author reflects over his years of code security reviews to identify patterns and best practices that all developers can follow when tracking down potential security loopholes. The process begins by examining the environment the code runs in, considering the roles of the users who will run it, and studying the history of any security issues the code may have had. After gaining an understanding of these background issues, specific vulnerabilities can be hunted down, including SQL injection attacks, cross-site scripting, and buffer overruns. In addition, certain red flags, such as variable names like 'password', 'secret,' and other obvious but common security blunders, can be searched for and remedied.