Skip to content

Microsoft Secure

Adding Usable Security to the SDL

Adam Shostack here.   Lately, I’ve been focused on how we bring the engineering of usable security into the SDL.  When I say usable security, I mean that for those times when we need to ask a user for input on something only they know.  (For example, are you connecting to a coffee shop network or...

Read more

New Tool: SDL Regex Fuzzer

Hi everyone, Bryan here. I’m at the RSA Conference Europe this week to present “When a Billion Laughs Are Not So Funny: Application-Level Denial of Service Attacks.” I’ve predicted before that as cloud computing gains wider adoption, we’ll start to see a significant increase in denial of service (DoS) attacks against those services. When you’re...

Read more

Black Hat 2010: Crypto Agility

Hi everyone, Bryan here. If you’re at Black Hat this week, I’ll be giving a talk Thursday afternoon on the topic of cryptographic agility – the ability for applications to change which cryptographic algorithms or implementations they use without having to make changes to the source code. Cryptographically agile applications can more easily comply with...

Read more

Black Hat 2010: Elevation of Privilege

Hi, Adam Shostack here.   I just wanted to let you know that I’ll be speaking at Black Hat about “Elevation of Privilege: The Easy Way to Threat Model.” Threat modeling is critical to secure development, and people find it intimidating and tough to get started. I will present Elevation of Privilege, a simple card game...

Read more

Black Hat 2010: Secure Use of Cloud Storage

Hi everyone, this is Grant Bugher. I’ll be giving a talk Thursday afternoon at BlackHat 2010 about securely using cloud storage systems like Windows Azure Storage – how applications that use cloud storage as their database back-end can protect themselves from attacks.  Just as with traditional methods of data storage and retrieval like SQL-based relational...

Read more

Adobe Reader Protected Mode: more collaboration to protect customers

Technorati Tags: Microsoft,SDL,Adobe,SPLC,security,sandbox,Protected Mode,Reader,Office Jeremy Dallman here. This morning Brad Arkin via the Adobe ASSET team blog announced their upcoming release of Adobe Reader Protected Mode. I wanted to take a moment to congratulate Adobe Security and the Adobe Reader team on reaching this significant milestone. As Brad mentioned in his blog post, Microsoft worked...

Read more

Visual C++ 2010 and Improved SAL Support

 Michael here. I have written about some of the security improvements in VC++ 2010 (here and here) and want to mention another important one: improved SAL support. The Standard Annotation Language (SAL) is a way of annotating function prototypes to help static analysis tools find bugs, including many classes of security vulnerabilities, with a low...

Read more