My Security Planet » Michael Howard's Web Log » September 2008

Feeds

13616 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Michael Howard's Web Log

• 

  Practical Defense in Depth

  Posted: September 26th, 2008, 2:50pm CDT by michael_HOWARD

  Tags:  Security   [edit]

  <sent from Cabo San Lucas Airport - heading back to Austin >

  Crosstalk has published an article for mine regarding how we use Defense in Depth within the SDL, and in Microsoft in general.

  
• 

  Twitter Feed

  Posted: September 17th, 2008, 1:16pm CDT by michael_HOWARD

  Tags:  Personal   [edit]

  I've been doing this Twitter thing for a while now - I really like it, folks can get a feel for what you're up to each day.

  If you're interested, you can see what I'm up to by clicking 'Follow' at [twitter.com]

  
• 

  SDL Evolution

  Posted: September 16th, 2008, 11:02pm CDT by michael_HOWARD

  Tags:  Security   [edit]

   UPDATED: Added IOActive post

  As many of you have seen today, there's been plenty of press about us opening up the SDL for use by other software developers and releasing our threat modeling tool. For those of you who have no clue what the heck I'm talking about, here are a handful of articles about what happened today:

  • Microsoft becomes high priest of secure software development (C|Net)
  • Microsoft looks to spread secure software expertise (Computerworld)
  • Microsoft to Share Its Secure Development Blueprint, Threat Modeling Tool (Dark Reading)

  I'm not sure about the "High Priest" moniker, but what the heck :)

  Cigital also blogged about the event, most notably the SDL Pro Network, and IOActive posted some comments too.

  I'm really excited to see the SDL move forward and most importantly, outward. We have learned a great deal about what it takes to make steps toward securing software. We don't expect perfection, but if more people embrace some of the principles we define in the SDL, and we have experienced and knowledgable partners scale the effort, I think the IT world will be a substantially more secure place.

  -Michael

  
• 

  James Whittaker has a blog

  Posted: September 15th, 2008, 8:46pm CDT by michael_HOWARD

  Tags:    [edit]

  SDL alumnus James Whittaker has a blog. I meant to write a note on this weeks ago, but I kinda got busy! Anyway, if you're a tester, or have a passing interest in test, James is one of the best and you should learn from him. He's the author or coauthor of How to Break Software, How to Break Software Security and How to Break Web Software.

  [blogs.msdn.com]

  
• 

  GOOG Chrome's use of NX/DEP

  Posted: September 15th, 2008, 9:18am CDT by michael_HOWARD

  Tags:  Security   [edit]

  Scott Hanselman has a look under Chrome's hood and how it uses the new NX/DEP APIs we added to Windows.

  Scroll about halfway down the article.

  
• 

  Kim Cameron on GOOGs single sign on design vulnerability

  Posted: September 15th, 2008, 8:25am CDT by michael_HOWARD

  Tags:  Security   [edit]

  I spoke with Kim Cameron a few days ago about Google's single sign-on (SSO) design bug. I wanted his take on the bug because he's one of the best in the area of identity, single sign-on etc etc... his response can only be described as scathing.
• 

  Katie Moussouris joins the SDL team

  Posted: September 12th, 2008, 3:06pm CDT by michael_HOWARD

  Tags:  Security   [edit]

  Dave Ladd just posted a note about Katie joing the ever-growing SDL team. For you twitter freaks out there she's @k8em0 :)

  Welcome, Katie...