New Threat Analysis and Modeling (TAM) 2.1 tool released

Containing many bug fixes and some enhancements, this is a great tool for organizations who may not have dedicated teams of security analysts, but want to model their application and automatically generate many of the possible threats. The following are some of the improvements and features. Improvements/Fixes- Better Data validation (Tool identifies duplicate items, call…


Mono not mentioned in Novell WebCast – but it is in the FAQ

As a developer, the first thing I thought about with the Novell announcement was Mono and whether or not Microsoft would be putting resources toward that Herculean effort. Miguel makes reference to the FAQ which talks about this subject: Q: What does the patent agreement cover with regard to Mono and OpenOffice? Yes, under the…


Should we say goodbye to SecureString?

Dominick over at Least Privilege makes reference to the new functionality added to HawkEye which allows developers to display the contents of SecureString, and also change the current principal of the running thread. This looks like a really great debugging tool, and I’m thinking about paying the licensing fee to get a copy to play with…


Guidance Library filled with security goodness!

The folks over at the Patterns and Practices Team have done it again with the Guidance Library – containing all kinds of best practices, mini “How-Tos” and coding samples for .NET. What’s great about this site is that you can categorize the best practices by topic, including security, and create your own check lists for developers….


Don’t be a Security Nazi

I was out at a customer site last week and needed to have access to their internal corporate network to do some work for the week. Their process for providing access to outside consultants was actualy quite mature – basically, I needed to send an email to an internal address asking permission for access. A…


Two kinds of people – and the Orcas CTP as a VM!

There is an old saying out there: There are two kinds of people in the world – those who have lost all of their data, and those who will! I now count myself in the party of the first part. To make a long story short, I decided to upgrade to Windows Vista CTP a…


Problems with Vista Security in Europe

I was wondering when this issue was going to come up in the anti-trust discussions. It seems as if the EU commission is raising concerns that the ‘bundled’ security features of Microsoft Vista might block out competitors in the security space. To me, (and I’m really trying hard to not be bias here), the decision…


Credit Card Companies form security council

It seems that the evolving PCI (Payment Card International) standard is getting more support with all of the major credit card companies agreeing to get together to form the new Security Standards Council. While the PCI is fairly high level right now, it is requirement 6, calling for secure applications which catches my eye. I’m going to keep my eye on…


Does AOL have a Secure Development LifeCycle in place?

Yet another set of headlines this week about data being leaked accidentally from internal employees. This time, the news is from AOL, where information was posted on-line about user searches. According to AOL “This incident took place because some employees did not exercise good judgment or review their proposal with our privacy team,” Jonathan F….


New Threat Modeling Tool and ‘hip’ video released

So everyone is talking about the new .NET 2.0 based threat modeling (Beta) that has just been released. From my initial fly-by, it looks like a very different approach than the older tool which relied on software developers to learn and master the concepts of STRIDE and DREAD in the analysis. I go around all…