Entries tagged with security - Channel 9

Microsoft Security Development Lifecycle (SDL) and Software Security Today

Charles — Fri, 06 Nov 2009 21:49:00 GMT

The Microsoft Security Development Lifecycle (SDL) team recently released two new security tools, BinScope Binary Analyzer and MiniFuzz File Fuzzer, to help you write more secure code. Jeremy Dallman, Michael Howard, and Ivan Medvedev created these tools so we decided to pay them a visit to chat about what these tools do and why they matter. Of course, it's been way too long since Michael Howard has preached to us from his security soapbox so we just had to get him talking about the general state of software security today and where it's going!

For the Microsoft SDL team, SDL is as much a lifestyle as it is a software development lifecycle. Developers, thrive securely so that others may securely thrive. Oh yeah, brothers and sisters. I'm sensing the need for a security soapbox show on 9. We need more preaching. There's still far too many developers writing insecure code. "Reverend" Howard, are you game, sir?

Get BinScope and MiniFuzz on SDL Tool Repository. Please use them!!!

Stay updated on the SDL at:

http://www.microsoft.com/sdl

http://blogs.msdn.com/sdl

Aufzeichnung zum Oktober-TechTalk: Windows 7 – ein Überblick für Entwickler (Teil2)

Jan Schenk — Tue, 03 Nov 2009 18:32:00 GMT

Der Hauptfokus bei Windows 7 wurde auf die weitere Verbesserung der Sicherheit, Zuverlässigkeit und Performance des Betriebssystems gelegt - und auf die größtmögliche Kompatibilität zu Windows Vista , damit bereits bestehende Anwendungen auch in Zukunft laufen. Für Entwickler bietet Windows 7 viele neue Schnittstellen, um Anwendungen mit umfassenderen Funktionen zu versehen, die dem Endbenutzer eine neue Erfahrung im Umgang mit Software ermöglichen.

In dieser TechTalk-Aufzeichnung erklären Oliver Scheer und Peter Kirchner, wie etwa die neue Taskbar genutzt werden kann, indem die Preview-Ansicht gesteuert, Status-Informationen ausgegeben oder die Sprunglisten nach Ihren Wünschen angepasst werden können. Wir zeigen neue Möglichkeiten für die Anpassung von Windows-Diensten, um die Performance des Betriebssystems optimal zu nutzen und demonstrieren die Verwendung der in Windows 7 eingeführten Bibliotheken, um den Zugriff auf Dokumente Ihrer Anwendung zu vereinfachen. Zusätzlich erfährt man, welche Punkte zu beachten sind, um die Kompatibilität Ihrer Anwendung mit Windows 7 sicher zu stellen, wenn diese bereits auf Windows XP oder Windows Vista laufen. Abschließend wird ein Überblick gegeben, welche Änderungen sich im Windows Logo Programm ergeben haben und wie Sie Ihre Anwendung für Windows 7 zertifizieren lassen können.

Allgemeine Information zu den TechTalks:

Die kostenlosen TechTalk-Veranstaltungen sind ein lebendiges Forum zum Wissensaustausch unter Entwicklern und bieten Gelegenheit, "Microsoft zum Anfassen" zu erleben. Microsoft-Experten vermitteln dabei in Vorträgen ihr Wissen und stehen für Diskussionen zur Verfügung. Dabei ist der TechTalk keine überdimensionierte Massenveranstaltung, sondern bietet das angenehme und lockere Umfeld, das den ganz besonderen Reiz eines Entwicklertreffens ausmacht. Alle weiteren Informationen finden Sie unter http://techtalk.ms/

Aufzeichnung zum Oktober-TechTalk: Windows 7 – ein Überblick für Entwickler (Teil 1)

Jan Schenk — Tue, 03 Nov 2009 18:31:00 GMT

Allgemeine Information zu den TechTalks:

Claims-Based Security, Windows Identity Foundation and Dominick Baier

Dariusz Parys — Fri, 09 Oct 2009 05:41:00 GMT

I had the chance to do an interview with security expert Dominick Baier. I visited Dominick and talked with him about Claims, Windows Identity Foundation and his StarterSTS Project hosted on Codeplex.

You can contact Dominick via his blog and you can get more information about the StarterSTS on Codeplex.

Enjoy,
Dariusz

I'm sorry about the video quality after 20 minutes, my camera just broke during recording. Yes this sorts of things just happen when they shouldn't.

Anti-XSS Library v3.1: Find, Fix, and Verify Errors

Jossie Tirado — Wed, 23 Sep 2009 17:20:00 GMT

Anil Revuru (RV) from Microsoft Information Security, gives a demonstration of the new features on the Anti-XSS Library v3.1 including HTML Sanitization which provides new methods to the Anti-XSS class to strip malicious characters or scripts off of HTML and returns safe HTML.

He talks about:

What is Cross-Site Scripting Attack (XSS)
How to detect Cross Site Scripting Vulnerabilities
Introduction of Anti-XSS Library
What’s new in Anti-XSS Library 3.1
Anti-XSS 3.1 demo
Security Runtime Engine (SRE)
SRE Demo

To learn more about this application and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

Overview of the Anti-XSS Library
Download: Microsoft Anti-Cross Site Scripting Library v3.1

Connected Information Security Framework: Core Components

Jossie Tirado — Wed, 23 Sep 2009 17:19:00 GMT

Marius Grigoriu and Vineet Batta, from Microsoft Information Security, talk about the technical components for the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain the core pieces CISF consists of like: Business Intelligent, Portal, Notification, and others that help build information security applications cheaper, faster, and better

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog

To see an overview of what CISF is watch the video: CISF: Build Custom Security Solutions

CISF CTP download

CISF: Build Custom Security Solutions

Jossie Tirado — Fri, 18 Sep 2009 03:31:00 GMT

Mark Curphey and Marius Grigoriu, from Microsoft Information Security, talk about the release of the first version of Connected Information Security Framework (CISF). A software development framework comprising of API’s and reusable components that is designed to create bespoke or custom information security and risk management solutions like Risk Tracker.

Microsoft’s IT Information Security Tools Team designs and develops CISF to “engineer the security delta” meaning as a way to rapidly meet business requirements and create functionality that doesn’t exist or is not yet available in their product range.

They explain benefits found on this framework including:

Building information security applications cheaper, faster, and better
Migrate applications efficiently and effectively to their products when they become available

To learn more about this framework and stay up to date on the latest news, read the following blogs from Information Security and previous posts from the Security Tools Team blog.

CISF CTP download

Expert to Expert: Erik Meijer and Butler Lampson - Abstraction, Security and Embodiment

Charles — Thu, 17 Sep 2009 16:09:00 GMT

This is a very special episode of Expert to Expert. We were very fortunate to get some time with renowned computer scientist and Microsoft Technical Fellow Butler Lampson. Butler's impact on general purpose computing is profound. Personal computing as it exists today is in part the result of the great work done by Butler over the past 30 years.

Programming language designer and high priest of the lamda calculus Erik Meijer hosts this episode of E2E and Erik and Butler cover a very wide swath of computing topics. It's simply beautiful and very deep geekiness. In fact, this is one of my favorite Channel 9 conversations of late. I know you will enjoy both the usual real conversational aspect of this and the depth of historical insight into some of the core aspects and unresolved problems of general purpose personal computing.

Go get some popcorn, stream this into your XBox or Media Center and learn from one of our industry's pioneers who still has a great deal to offer to the world of personal computing. What's Butler working on these days, you wonder? What's top of mind for him as it relates to today's biggest challenges in computing? What does software security really mean? How many levels of software abstraction do we need? Why is data synchronization such a hard problem? What is software embodiment, exactly (Butler will be presenting his thinking on software embodiment at PDC09, as part of the new Technical Leaders track (something yours truly is responsible for - I hope you plan on attending these very special sessions and if not you will be able to watch them right here on Channel 9))?

Tune in and meet a true legend in our industry. Microsoft is very forunate to have Butler Lampson thinking about some of the hardest problems we face as an industry and ensuring that Microsoft is capable of tackling these challenges in a way that extends the solutions for long term relevance in a changing and unpredictable environment.

Glenn Pittaway on SDL

Mike Ormond — Fri, 14 Aug 2009 07:30:00 GMT

I'm posting this on behalf of Andrew Fryer who usually posts to TechNet but today has something developer focused for us:

"Glenn Pittaway the Group Program Manager for the Secure development Lifecycle (SDL) talks about the past present and future of SDL. The SDL methodology is at the core of all development work that has an internet facing element (i.e. virtually everything!) at Microsoft. You might argue that this gives this gives Microsoft developers an edge over the competition as they can write more secure code more quickly, however these same SDL resources are also publicly available so you can adopt the same approach in your organisation."

Internet Explorer 8 named most secure browser

Adam Kinney — Thu, 13 Aug 2009 21:34:00 GMT

Yes, you read that right, Internet Explorer was named by NSS Labs the Most Secure Browser. Giorgio Sardo, our IE Evangelist, fittingly has all the details.

Inside the Active Template Library (ATL) Security Update

Charles — Tue, 28 Jul 2009 17:02:00 GMT

Today, Microsoft announced the details of an out-of-band security update that impacts ATL components and controls (like ActiveX controls, for example) -> Developers who have built controls using vulnerable versions of ATL should take immediate action to review and identify any vulnerabilities, modify and recompile their affected controls and components using the updated versions of ATL and finally distribute a non-vulnerable version of the controls and components to their customers.

Here, Damien Watkins from the VC++ team and Damian Hasse and Jonathan Ness from MSRC Engineering review the steps to identify and address vulnerable controls and components. Of course, being a Channel 9 interview, we dig into various aspects of the problem without veering away from the goal here: helping you understand the exact issues with this vulnerability. If you own a component or control that uses ATL, then you will know what you need to do to prevent a possible attack.

Please visit the URLs below as soon as possible for detailed information on this vulnerability.

Resources discussed in this video are available on MSDN: Active Template Library Security Update and Developers

Detailed technical information on this security release for ATL developers: http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx

Additional information on this security release is available on the Security Research & Defense blog

Overview with background + table of links: http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx

IE mitigation explanation: http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx

Deep dive for developers: http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx

How msvidctl.dll is related: http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx

Michael Howard's perspective on this issue: http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx

SDL-LOB Phase 3: Implementation

Jossie Tirado — Mon, 20 Jul 2009 17:54:00 GMT

The third phase of the SDL-LOB (Security Development Lifecycle for Line-of-Business applications) includes Implementation.

Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities.

Read more on the Implementation Phase here.

Anti-XSS 3.0 Released

Jossie Tirado — Wed, 15 Jul 2009 16:12:00 GMT

Vineet Batta and Anil Revuru (RV), from Microsoft Information Security, talk about the release of the new version of the Anti-XSS library, which is designed to encode output to help developers protect their ASP.NET web-based applications from cross-site scripting attacks.

They explain the new features and benefits found on version 3.0, including:

Extended white list
Better performance
MSDN Style Help documentation
Marked Anti-XSS Output
Security Runtime Engine (SRE)

To learn more about this library read the following blogs from the Security Tools Team blog and previous posts.

Patrice Godefroid - Automated Whitebox Fuzz Testing with SAGE

Peli de Halleux — Tue, 14 Jul 2009 18:29:00 GMT

Patrice Godefroid gives an overview of Automated Whitebox Fuzz Testing, a powerful testing technique applied at Microsoft through a tool called SAGE. Listen how he is working with the SAGE team to 'eradicate all buffer overrun bugs' in Windows...

Read more in this paper or this slide deck.

The Research in Software Engineering team (RiSE) coordinates Microsoft's research in Software Engineering in Redmond, USA.

Silverlight 2 Security

Jossie Tirado — Tue, 14 Jul 2009 00:43:00 GMT

The usage of Silverlight to provide users a rich internet experience continues to increase. As it becomes a key element on our web applications, it is good to keep in mind that it still runs code on the user's machine.

That is why Maqbool Malik, from Microsoft Information Security, describes some key features added on the second version of Silverlight to enhance security.

Among the features discussed, Maqbool talks about XAP files, cross-domain policy files, HTML access, etc.

Threat Modeling LOB Applications with TAM 3.0

Jossie Tirado — Mon, 06 Jul 2009 22:38:00 GMT

Andrew Law, from Microsoft Information Security, walks us through the creation of a threat model for a line-of-business application using the Threat Analysis & Modeling tool version 3.0. This screencast includes the definition and purpose of a threat model as well as its alignment with the SDL-LOB.

Threat Model ownership is discussed as well as the use of the central repository, common task list and how to leverage them to automatically generate threats.

Learn more on the Threat Modeling site & Information Security Tools blog.

SQL Detect

Jossie Tirado — Mon, 06 Jul 2009 19:41:00 GMT

SQL Detect is a SQL injection filter in real-time mode. When a request happens in the application the tool applies different heuristics to the data and tries to identify the attack. After the request is validated it proceeds.

Maqbool Malik, from Microsoft Information Security, describes how this is one of the tools to be included in the to-be-released Security Runtime Engine (SRE).

To learn more about their tools, read the Information Security Tools blog.

Microsoft Security Development Lifecycle Template

Larry Larsen — Thu, 02 Jul 2009 10:45:00 GMT

The Microsoft SDL Process Template is a new process template for Visual Studio Team System intended to ease adoption of the Microsoft Security Development Lifecycle. The template integrates the SDL directly into your software development environment, provides auditable security requirements and status, and demonstrates security return on investment.

I stopped by the Microsoft Security group and spoke with Jeremy Dallman about the SDL, and what it means for developers. The Process Template is free and can be downloaded from www.microsoft.com/SDL/.

Securing REST ful services

ashishjaiman — Tue, 30 Jun 2009 03:02:00 GMT

REST is an acronym for Represntational state transfer, REST defines an architectural style based on a set of constraints for building things the “Web” way.

In this screen cast I will demo how to secure a restful web service using WeServicebHost2Factory and Request Interceptors in WCF Rest Starter Kit. i will implement both Basic Authentication Request Interceptor and also Authorization Header token based authentication.

The demo code is posted here - Code –

http://cid-0666e397c5ca74dd.skydrive.live.com/self.aspx/Screencast/ProjectService.zip

Previous Screencast - http://channel9.msdn.com/posts/ashishjaiman/WCF-35-RESTful-web-service/

Other resources –
http://aspnet.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=24644
http://msdn.microsoft.com/en-us/netframework/cc950529.aspx

Architecture Behind CAT.NET

Jossie Tirado — Mon, 29 Jun 2009 22:24:00 GMT

Ben Livshits, from Microsoft Research, talks about the architecture behind CAT.NET, which is a static analysis tool on Visual Studio that helps find vulnerabilities like SQL Injection, CSRF, XSS among others, within managed code.

Ben’s knowledge on static and dynamic dataflow analysis made him a key contributor on the creation of CAT.NET. He walks us through different examples of how the data analysis happens depending on complexity and explains how precision varies.

Learn more about Microsoft Information Security Tools.

www.msinfosec.com

Threat Analysis & Modeling Tool - TAM 3.0

Jossie Tirado — Mon, 29 Jun 2009 20:43:00 GMT

Anil Revuru (RV), from Information Security Tools, provides an overview of the new version of TAM (Threat Analysis & Modeling), an asset-centric tool which uses an objective methodology to analyze applications for threats and define mitigation plans for them. TAM aligns to the SDL-LOB as part of the Design phase.

RV describes the new features in this version, including the online repository for the attack countermeasures, automated use cases creation, composite threats, among others.

Learn more:

Security Design Reviews

Jossie Tirado — Wed, 24 Jun 2009 16:07:00 GMT

Security is not something we just add at the end of the implementation phase...it should be baked into the application all the way from design.

Anmol Malhotra, from Microsoft Information Security, provides more than enough reasons why Security Design Reviews make sense and why they are so important...let him walk you through the SDLC phases and how security tasks are found in each step.

To learn more about security on line-of-business applications using the SDL-LOB go here.

SafeNet - Hardware and Software Security Modules

ashishjaiman — Tue, 23 Jun 2009 18:53:00 GMT

SafeNet is a global leader in information security.

SafeNet provides complete security utilizing its encryption technologies to protect communications, intellectual property and digital identities, and offers a full spectrum of products including hardware, software, and chips.

In this video I sit with Bill Becker, Chief Architect, SafeNet and discuss how SafeNet is leveraging Microsoft platform.

David LeBlanc: Inside SafeInt

Charles — Tue, 16 Jun 2009 16:34:00 GMT

SafeInt is a C++ header containing the SafeInt class, non-throwing functions to check common operations, and the associated internal mechanisms. SafeInt is currently used extensively throughout Microsoft, with substantial adoption within Office and Windows.

David LeBlanc is a software engineer and security expert. You may know him from the Writing Secure Code books. David and Michael Howard have helped raise the bar for software security inside Microsoft for several years now. David has mostly remained out of the limelight since he's much more interested in writing secure code than talking about writing secure code. Well, now David's going to be famous. Sorry, David. :)

The great Ale Contenti joins us in this conversation to provide some context and ask some hard questions. Ale is a dev lead on the C++ libraries team. You've seen him a few times on 9. As you can imagine, he probably uses SafeInt in his own work.

Here, we dig into the thinking behind SafeInt, how it works, how it's composed, when to use it, when not to use it and how it will evolve to meet new demands and support other compilers (SafeInt now supports gcc). Enjoy!

!exploitable Crash Analyzer

Larry Larsen — Tue, 16 Jun 2009 08:50:00 GMT

!exploitable (pronounced "bang exploitable") Crash Analyzer is a plugin for the Windows Debugger that parses your crash logs and gives you two important pieces of information. First, it will collate all of your crashes and determine exactly how many there actually are. So for example, out of 60 crash reports, there may only be 2 or 3 actual problems.

The second thing it does is look at the type of crash and try to determine if the error is something that could be exploited by a malicious hacker. This means that more junior employees can work these bug issues without taking the time of more senior examiners. Jason Shirk from the Security Core team joined us to take a look at !exploitable. To download the app, go to: http://www.codeplex.com/msecdbg.