Feeds
13616 items (0 unread) in 75 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
Michael Howard's Web Log
-
Crispin has a blog!
Posted: April 28th, 2008, 1:08pm CDT by michael_HOWARD
Tags: Security [edit]
It had to happen. Since joining Microsoft a few short months ago, Crispin Cowen now has a blog. He's told me some of his ideas for posts... should make for an interesting read! He's never short on opinion. -
Oh No! Security Metrics!
Posted: April 18th, 2008, 10:33am CDT by michael_HOWARD
Tags: Security [edit]
I just posted an article over on the SDL blog about security metrics in reponse to an analyst's criticisms of how we measure success/failure/progress.
Comments always welcome.
UPDATE David Litchfield just made a post on the subjet.
-
Microsoft Security Development Lifecycle (SDL) 3.2 documentation now available for download
Posted: April 9th, 2008, 5:16pm CDT by michael_HOWARD
Tags: Security [edit]
Dave Ladd has just made a (long) post over on the SDL blog announcing the availability of the SDL 3.2 doc suite. This is a big deal. -
Internet Explorer 8.0 and Data Execution Prevention (DEP/NX)
Posted: April 8th, 2008, 3:23pm CDT by michael_HOWARD
Tags: Security [edit]
Eric Lawrence just posted some commentary about IE8 and DEP/NX. As you may know, IE7 supports DEP/NX, but it's disabled by default owing to compatibility issues. Well, DEP/NX is now enabled by default for IE8 when running on Windows Server 2008 and Window Vista SP1 and later :-)
If you build any form of extensibility mechanism for IE, you should read his post.
-
When adding security bugs to your code is not your fault!
Posted: April 4th, 2008, 4:55pm CDT by michael_HOWARD
Tags: Security [edit]
David LeBlanc and I (and a bunch of others) just had a little email exchange about some fascinating integer overflow vulnerabilities in gcc.
Long story made short: the code you add to detect integer overflows might actually be removed by the compiler because of assumptions made by the optimizer. I was going to write a post on the subject, but David did it for me :-) A frankly, no-one knows int-overflow science quite like LeBlanc.
I can't help but be reminded of another compiler optimization vulnerability we discovered a few years back. I wonder what else might be in store for us from the world of compiler optimizations?