Skip to content
Microsoft Secure

Vuln Hunt: Find the Security Vulnerability Challenge #2

Ex-Netscape engineer Jamie Zawinski has a great quote about regular expressions. He said: “Some people, when confronted with a problem, think ‘I know, I’ll use regular expressions.’ Now they have two problems.” That’s certainly true for this week’s Security Vuln Hunt. Two points are possible, plus an extra bonus point.  The question: The programmer here...

Read more

Vuln Hunt: Find the Security Vulnerability Challenge #1

Whether it’s a riddle, puzzle, or detective mystery novel, most of us like to solve a good brain teaser. As security and program experts, these types of conundrums keep us on our toes. During the next few weeks, I’ll share some of my favorites, and see if you can find the security vulnerability. For this...

Read more

Announcing the MSF-Agile+SDL Process Template for TFS 2010

Hi everyone, Bryan here. Judging from the quantity of email I’ve been getting since Visual Studio 2010 shipped last month asking when we’ll have an SDL process template available for it, there are a lot of you out there who have already upgraded to VS 2010 and are looking to integrate SDL processes into your...

Read more

Casaba Releases Watcher 1.3.0 with Added SDL Integration

Hi everyone, Bryan here. We’ve written here before about Casaba Security’s Watcher tool and how it can help you verify compliance with several of the SDL web application security requirements, such as: ·         User controlled open redirects ·         Insecure domain references in Silverlight client access policy files ·         Use of the Javascript eval method ·        ...

Read more

Announcing SDL for Agile Development Methodologies

Hi everyone, Bryan here. There is a common misconception that because the SDL was originally created for Microsoft’s big showcase box products like Windows and SQL Server, that it only works for those kinds of products. This is of course patently false: virtually every Microsoft product and online service, large or small, follows the SDL....

Read more

SDL at TechEd Europe and Platforma

Hi everyone, Bryan here. I’m going to be presenting two sessions on the SDL next week, one for TechEd Europe and one for the Microsoft Platforma event in Moscow. If you’re attending either of these conferences, stop by and introduce yourself, or better yet stay for the session!   TechEd Europe:   SIA-205: SDL-Agile: Microsoft’s...

Read more

SIR Volume 7 Released

Hi everyone, Bryan here. Earlier this week, Microsoft released the latest volume of the Security Intelligence Report (SIR), which covers the first half of 2009. There are many interesting statistics in this report, but there’s one that I’d like to draw particular attention to: the number of industry-wide reported vulnerabilities as broken down by OS...

Read more

Cross-Domain Security

Hi everyone, Bryan here. Peleus Uhley, Senior Security Researcher at Adobe, has written a guest post for the BlueHat blog on potential security issues with cross-domain access permissions for web sites. I’d like to encourage you to read Peleus’ post and also to expand on it a little to talk about the SDL requirements around...

Read more

Static Analysis Tools and the SDL (Part Two)

Michael wrote last week on static analysis for native C/C++ code, and this week I’ll be following up by covering the tools we use for managed static analysis. The SDL requires teams writing managed code to use two static analysis tools: FxCop and CAT.NET. Both of these tools are freely available to the public, and...

Read more

MSDN Security Issue Articles

Bryan here. The SDL team is well represented in the annual security issue of MSDN magazine – we have three articles that might be interesting to you, given that you read the SDL Blog! First up is a code review quiz, “Test Your Security IQ”. Put your C/C++/C# security skills to the challenge by reviewing...

Read more