Entries tagged with sdl - Channel 9

Microsoft Security Development Lifecycle (SDL) and Software Security Today

Charles — Fri, 06 Nov 2009 21:49:00 GMT

The Microsoft Security Development Lifecycle (SDL) team recently released two new security tools, BinScope Binary Analyzer and MiniFuzz File Fuzzer, to help you write more secure code. Jeremy Dallman, Michael Howard, and Ivan Medvedev created these tools so we decided to pay them a visit to chat about what these tools do and why they matter. Of course, it's been way too long since Michael Howard has preached to us from his security soapbox so we just had to get him talking about the general state of software security today and where it's going!

For the Microsoft SDL team, SDL is as much a lifestyle as it is a software development lifecycle. Developers, thrive securely so that others may securely thrive. Oh yeah, brothers and sisters. I'm sensing the need for a security soapbox show on 9. We need more preaching. There's still far too many developers writing insecure code. "Reverend" Howard, are you game, sir?

Get BinScope and MiniFuzz on SDL Tool Repository. Please use them!!!

Stay updated on the SDL at:

http://www.microsoft.com/sdl

http://blogs.msdn.com/sdl

Glenn Pittaway on SDL

Mike Ormond — Fri, 14 Aug 2009 07:30:00 GMT

I'm posting this on behalf of Andrew Fryer who usually posts to TechNet but today has something developer focused for us:

"Glenn Pittaway the Group Program Manager for the Secure development Lifecycle (SDL) talks about the past present and future of SDL. The SDL methodology is at the core of all development work that has an internet facing element (i.e. virtually everything!) at Microsoft. You might argue that this gives this gives Microsoft developers an edge over the competition as they can write more secure code more quickly, however these same SDL resources are also publicly available so you can adopt the same approach in your organisation."

SDL-LOB Phase 3: Implementation

Jossie Tirado — Mon, 20 Jul 2009 17:54:00 GMT

The third phase of the SDL-LOB (Security Development Lifecycle for Line-of-Business applications) includes Implementation.

Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities.

Read more on the Implementation Phase here.

Anti-XSS 3.0 Released

Jossie Tirado — Wed, 15 Jul 2009 16:12:00 GMT

Vineet Batta and Anil Revuru (RV), from Microsoft Information Security, talk about the release of the new version of the Anti-XSS library, which is designed to encode output to help developers protect their ASP.NET web-based applications from cross-site scripting attacks.

They explain the new features and benefits found on version 3.0, including:

Extended white list
Better performance
MSDN Style Help documentation
Marked Anti-XSS Output
Security Runtime Engine (SRE)

To learn more about this library read the following blogs from the Security Tools Team blog and previous posts.

Threat Modeling LOB Applications with TAM 3.0

Jossie Tirado — Mon, 06 Jul 2009 22:38:00 GMT

Andrew Law, from Microsoft Information Security, walks us through the creation of a threat model for a line-of-business application using the Threat Analysis & Modeling tool version 3.0. This screencast includes the definition and purpose of a threat model as well as its alignment with the SDL-LOB.

Threat Model ownership is discussed as well as the use of the central repository, common task list and how to leverage them to automatically generate threats.

Learn more on the Threat Modeling site & Information Security Tools blog.

SQL Detect

Jossie Tirado — Mon, 06 Jul 2009 19:41:00 GMT

SQL Detect is a SQL injection filter in real-time mode. When a request happens in the application the tool applies different heuristics to the data and tries to identify the attack. After the request is validated it proceeds.

Maqbool Malik, from Microsoft Information Security, describes how this is one of the tools to be included in the to-be-released Security Runtime Engine (SRE).

To learn more about their tools, read the Information Security Tools blog.

Microsoft Security Development Lifecycle Template

Larry Larsen — Thu, 02 Jul 2009 10:45:00 GMT

The Microsoft SDL Process Template is a new process template for Visual Studio Team System intended to ease adoption of the Microsoft Security Development Lifecycle. The template integrates the SDL directly into your software development environment, provides auditable security requirements and status, and demonstrates security return on investment.

I stopped by the Microsoft Security group and spoke with Jeremy Dallman about the SDL, and what it means for developers. The Process Template is free and can be downloaded from www.microsoft.com/SDL/.

Architecture Behind CAT.NET

Jossie Tirado — Mon, 29 Jun 2009 22:24:00 GMT

Ben Livshits, from Microsoft Research, talks about the architecture behind CAT.NET, which is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code.

Ben’s knowledge on static and dynamic dataflow analysis made him a key contributor on the creation of CAT.NET. He walks us through different examples of how the data analysis happens depending on complexity and explains how precision varies.

Learn more about Microsoft Information Security Tools.

www.msinfosec.com

Threat Analysis & Modeling Tool - TAM 3.0

Jossie Tirado — Mon, 29 Jun 2009 20:43:00 GMT

Anil Revuru (RV), from Information Security Tools, provides an overview of the new version of TAM (Threat Analysis & Modeling), an asset-centric tool which uses an objective methodology to analyze applications for threats and define mitigation plans for them. TAM aligns to the SDL-LOB as part of the Design phase.

RV describes the new features in this version, including the online repository for the attack countermeasures, automated use cases creation, composite threats, among others.

Learn more:

Security Design Reviews

Jossie Tirado — Wed, 24 Jun 2009 16:07:00 GMT

Security is not something we just add at the end of the implementation phase...it should be baked into the application all the way from design.

Anmol Malhotra, from Microsoft Information Security, provides more than enough reasons why Security Design Reviews make sense and why they are so important...let him walk you through the SDLC phases and how security tasks are found in each step.

To learn more about security on line-of-business applications using the SDL-LOB go here.

Intervju från Öredev: Sergio Molero om säkerhet och utvecklare

Swedish MSDN Team — Fri, 28 Nov 2008 16:25:00 GMT

I den här diskussionen med Sergio Molero som är en medlem av MEET pratar vi om säkerhet och utvecklare, SDL och hur beteenden måste förändras.