New Secure Coding Standards
This has probably been a long time coming, but CERT has announced that they will be hosting a wiki containing secure coding practices for C and C++. This codification of numerous industry best...
View ArticleClik here to view.
It all comes back to the basics
Recently there has been a lot of talk in the security community about the Flash ActionScript exploit written by Mark Dowd (http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf). I will not go...
View ArticleHelp talking to the non-security professionals
Recently, I have been spending a lot of my time working with clients on SDL (Security Development Lifecycle). This is a new trend in the security industry and a welcome development in my opinion. In...
View ArticleMicrosoft SDL blog post about Watcher
Microsoft mentioned Watcher's usefulness in Web-security testing and SDL requirements verification. We're working to make this tool better so please share your success stories, bugs or false positives...
View ArticleClik here to view.
A Vim plugin for highlighting APIs banned by the Microsoft SDL
I do a lot of programming, so I live in my editor. I use Vim. If you also use Vim then I've got something to share with you: a new syntax plugin that highlights function calls banned by Microsoft's...
View ArticleUse the Source, Luke!
If there's one thing that I've learned throughout the years as a programmer, it is not always safe to trust the documentation. In fact, there is an old saying, “Use the source, Luke!” When possible,...
View ArticleOn the Importance of Good Developer Documentation
Programmers rely on documentation. It's how we learn to use APIs. Misusing APIs is a leading source of vulnerability. You might think that documentation is a cure to this ailment. Unfortunately, as...
View ArticleGetting Around Conditionally Banned APIs When Using Microsoft’s banned.h...
This code sample makes use of banned.h, a Microsoft-supplied header file that deprecates dangerous CRT functions. Microsoft also poisons these functions on UNIX if you include banned.h there. This is a...
View ArticleSDL Requirements and Release Videos Now Online
Not too long ago Chris, Jason, and myself did a handful of videos with the folks over in the Microsoft SDL and Azure teams on applying the SDL to various phases of the software development process....
View Article