Michael Howard's Web Log
A Simple Software Security Guy at Microsoft!
Never Thought I'd Still be Dealing with This: Insecure ActiveX Controls!
Over the last couple of months, I have worked with some customers still using custom-written ActiveX...
Date: 06/03/2016
Understanding that Microsoft Azure PaaS and IaaS defenses are often different
I received many comments from people asking me to clarify the following line from my previous blog...
Date: 05/20/2016
Cloud-based Solutions, Threat Modeling and Shared Security Responsibility
Almost 100% of my security work these days involves helping customers deploy their solutions on...
Date: 05/13/2016
Refactoring C and C++ Code for Security
I have been programming in C and C++ since I was 15 years old. And no, I won’t tell you how...
Date: 03/08/2016
Security Sessions at TechEd in Australia and New Zealand
I'm heading to TechEd Oz and NZ in a couple of hours to present the following: SEC312 The...
Date: 09/06/2009
ATL, MS09-035 and the SDL
https://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
Date: 07/28/2009
Integrating the SDL process into Visual Studio
I’ve been a firm believer of integrating as much security tooling as possible into the development...
Date: 05/19/2009
A Conversation About Threat Modeling
This was fun to write; in fact, other than minor edits I wrote it in a single two hour sitting with...
Date: 05/01/2009
Ken Johnson (Skywing) joins Microsoft
Following close on the heels of security experts Matt Miller, Adam Shostack and Crispin Cowan...
Date: 03/24/2009
Free Download: Writing Secure Code for Windows Vista
"For 25 years, Microsoft Press books have focused on helping you take your skills and knowledge to...
Date: 12/30/2008
Secure software development practices 'not rocket science'
https://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1340940,00.html#
Date: 12/08/2008
A Proactive Approach to Building a Successful Security Development Lifecycle Program
At this point most of you have heard about the Microsoft SDL and some of activities and deliverables...
Date: 11/19/2008
Improvements in Office Security
David LeBlanc has an excellent write-up of the results (so far) of all the security work the Office...
Date: 11/17/2008
Volume 5 of the Microsoft Security Intelligence Report is out
Volume 5 of the Microsoft Security Intelligence Report is now out, highlights include: Security...
Date: 11/03/2008
Security-Related MSDN Magazine Articles
Bryan Sullivan and I wrote a couple of articles for this month's MSDN Magazine. If you're not aware,...
Date: 10/28/2008
Agile SDL
Over the last year or so, a bunch of us in the SDL team have been working with agile groups across...
Date: 10/28/2008
SAFECode releases "Fundamental Practices for Secure Software Development" document
Today, SAFECode released an important document entitled, “Fundamental Practices for Secure Software...
Date: 10/08/2008
Practical Defense in Depth
<sent from Cabo San Lucas Airport - heading back to Austin > Crosstalk has published an...
Date: 09/26/2008
Twitter Feed
I've been doing this Twitter thing for a while now - I really like it, folks can get a feel for what...
Date: 09/17/2008
SDL Evolution
UPDATED: Added IOActive post As many of you have seen today, there's been plenty of press about us...
Date: 09/17/2008
James Whittaker has a blog
SDL alumnus James Whittaker has a blog. I meant to write a note on this weeks ago, but I kinda got...
Date: 09/15/2008
GOOG Chrome's use of NX/DEP
Scott Hanselman has a look under Chrome's hood and how it uses the new NX/DEP APIs we added to...
Date: 09/15/2008
Kim Cameron on GOOGs single sign on design vulnerability
I spoke with Kim Cameron a few days ago about Google's single sign-on (SSO) design bug. I wanted his...
Date: 09/15/2008
SDL and the XSS Filter
Close on the heels of David Ross' XSS defense in IE8 beta 2, my boss, Steve Lipner just posted an...
Date: 08/27/2008
Overlong UTF-8 Escapes Bite
Every once in a while a security bug pops up that really piques my interest, and a new directory...
Date: 08/22/2008
Security is bigger than finding and fixing bugs
I just wrapped up a post over on the SDL blog with some comments about an article on Google's...
Date: 08/14/2008
How Very True
https://twitter.com/alexsotirov/statuses/882866444
Date: 08/12/2008
Improve Security with "A Layer of Hurt"
I just wrote a post over on the SDL blog about how to get started with fuzzing,...
Date: 07/31/2008
Insecure 3rd party software updaters
Gotta love Robert's sarcasm.. but he's right.
Date: 07/29/2008
SQL Server and the Windows Server 2008 Firewall
SDL alum, Shawn Hernan (now in the SQL Server team), has written an excellent post about SQL Server...
Date: 07/02/2008
More on Heap Corruption and Process Termination
I just added a post over on the SDL blog about heap corruption and process termination as well as...
Date: 06/07/2008
Giving SQL Injection the Respect it Deserves
I just posted an article on the SDL blog about the recent news of SQL injection vulnerabilities...
Date: 05/16/2008
Crispin has a blog!
It had to happen. Since joining Microsoft a few short months ago, Crispin Cowen now has a blog. He's...
Date: 04/28/2008
Oh No! Security Metrics!
I just posted an article over on the SDL blog about security metrics in reponse to an analyst's...
Date: 04/18/2008
Microsoft Security Development Lifecycle (SDL) 3.2 documentation now available for download
Dave Ladd has just made a (long) post over on the SDL blog announcing the availability of the SDL...
Date: 04/09/2008
Internet Explorer 8.0 and Data Execution Prevention (DEP/NX)
Eric Lawrence just posted some commentary about IE8 and DEP/NX. As you may know, IE7 supports...
Date: 04/08/2008
When adding security bugs to your code is not your fault!
David LeBlanc and I (and a bunch of others) just had a little email exchange about some fascinating...
Date: 04/04/2008
"How Do I?" Videos for Security
These are pretty cool - I'm a big fan of highly focused, short education like this......
Date: 03/30/2008
IE8 Activity to lookup CVEs and Microsoft bulletins
Update: Added Microsoft bulletin stuff. I'm always looking up CVEs so I want to get to the data as...
Date: 03/18/2008
Protecting Your Code with Visual C++ Defenses
MSDN Magazine has just published an article I wrote that collects many of the various C and C++...
Date: 03/17/2008
The impact of the SDL on Microsoft SQL Server
Following on from my recent post about Windows Vista security and the SDL, a number of people have...
Date: 03/06/2008
Some thoughts about Windows Server 2008
Windows Server 2008 has shipped! And a fine product it is, too! Windows Server 2008 is the first...
Date: 03/04/2008
The First Step on the Road to More Secure Software is admitting you have a Problem
I just wrote an article over on the SDL blog about my observations from the industry to Jeff Jones'...
Date: 02/21/2008
FAQ about HeapSetInformation in Windows Vista and Heap Based Buffer Overruns
2/19 - Added some Minor Tweaks Perhaps it's the phase of the moon or something, but over the last...
Date: 02/18/2008
Introducing SAFECode
Today SAFECode, the Software Assurance Forum for Excellence in Code, introduced its first white...
Date: 02/14/2008
More trustworthy election systems via SDL?
My colleague Eric Bidstrup has just posted a thought provoking article on the SDL blog about...
Date: 02/06/2008
New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008
In the interests of helping secure the platform, we want more people to opt-in to using Data...
Date: 01/29/2008
My Daughter will never be a Spy
My kids are desperate for pets; my six-year old son wants a dog (note, a dog, not a puppy!) and my...
Date: 01/20/2008