Security Briefs - A Follow-on Conversation about Threat Modeling

Fri, 14 Aug 2009 10:00:00 GMT

This article explores the use of threat modeling to address security concerns in your applications.

Read article

Security Briefs - A Conversation About Threat Modeling

Mon, 20 Apr 2009 10:00:00 GMT

Listen in on a chat between a developer and security pro that delves into some of the major Security Development Lifecycle (SDL) requirements we impose on product teams here at Microsoft

Read article

Security Briefs - Threat Models Improve Your Security Process

Thu, 23 Oct 2008 10:00:00 GMT

Using threat models to drive your security engineering process helps prioritize the code review, fuzz testing, and attack surface analysis tasks.

Read article

Security Briefs - Protecting Your Code with Visual C++ Defenses

Wed, 20 Feb 2008 10:00:00 GMT

Michael Howard outlines some of the buffer overrun defenses available in Visual C++ 2005 and beyond.

Read article

Trustworthy Computing - Lessons Learned from Five Years of Building More Secure Software

Fri, 28 Sep 2007 10:00:00 GMT

Five years ago, Bill Gates issued a directive to enhance security across the board. Since then, many valuable lessons have been learned about building more secure software.

Read article

Secure Habits - 8 Simple Rules For Developing More Secure Code

Thu, 12 Oct 2006 10:00:00 GMT

Never trust data, model threats against your code, and other good advice from a security expert.

Read article

How Do They Do It? - A Look Inside the Security Development Lifecycle at Microsoft

Tue, 11 Oct 2005 10:00:00 GMT

In this article, Microsoft security expert Michael Howard outlines how to apply the Security Development Lifecycle to your own software development processes. He explains how you can take some of the lessons learned at Microsoft when implementing SDL and use them in your own development process.

Read article

Attack Surface - Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users

Tue, 19 Oct 2004 10:00:00 GMT

In this article, Microsoft security expert Michael Howard discusses the cardinal rules of attack surface reduction. His rules - reduce the amount of code executing by default, reduce the volume of code that is accessible to untrusted users by default, and limit the damage if the code is exploited - are explained along with the techniques to apply the rules to your code.

Read article

Review It - Expert Tips for Finding Security Defects in Your Code

Tue, 14 Oct 2003 10:00:00 GMT

Reviewing code for security defects is a key ingredient in the software creation process, ranking alongside planning, design, and testing. Here the author reflects over his years of code security reviews to identify patterns and best practices that all developers can follow when tracking down potential security loopholes. The process begins by examining the environment the code runs in, considering the roles of the users who will run it, and studying the history of any security issues the code may have had. After gaining an understanding of these background issues, specific vulnerabilities can be hunted down, including SQL injection attacks, cross-site scripting, and buffer overruns. In addition, certain red flags, such as variable names like 'password', 'secret,' and other obvious but common security blunders, can be searched for and remedied.

Read article