Never Thought I’d Still be Dealing with This: Insecure ActiveX Controls!

Over the last couple of months, I have worked with some customers still using custom-written ActiveX controls, and in more than one instance, the controls were vulnerable to attack. One customer asked how they can go through their controls quickly to triage which controls to review first. As a general rule I look to see…


Understanding that Microsoft Azure PaaS and IaaS defenses are often different

I received many comments from people asking me to clarify the following line from my previous blog post: The threat model makes the delineation explicit, and this is more pronounced when considering IaaS defenses and PaaS defenses, which can often be quite different. So, I want to spend a little time explaining what I mean…


Cloud-based Solutions, Threat Modeling and Shared Security Responsibility

Almost 100% of my security work these days involves helping customers deploy their solutions on Microsoft Azure with confidence. It’s an interesting, subtle twist on the use of the Microsoft Security Development Lifecycle (SDL). My SDL work has gone from being “it’s the right thing to do” (which it still is, but humor me) to…


Refactoring C and C++ Code for Security

I have been programming in C and C++ since I was 15 years old. And no, I won’t tell you how long ago that was! I have always loved both languages, and still do, but when the first internal pre-releases of Visual Studio 2013 came out, I selected C# as my prime language. To be…


Security Sessions at TechEd in Australia and New Zealand

I’m heading to TechEd Oz and NZ in a couple of hours to present the following: SEC312  The “Everything Developers Need to Know About Security” Talk  Oz: 9/10/2009 15:30-16:45  NZ: 9/14/2009 14:15-15:30 SEC201  Inside the Microsoft Security Development Lifecycle: And how you can use it!   Oz: 9/10/2009 11:30-12:45  NZ: 9/15/2009 12:10-13:25 I’m also giving a…


Integrating the SDL process into Visual Studio

I’ve been a firm believer of integrating as much security tooling as possible into the development process so developers can get on with developing code and designing solutions rather than having to constantly think about dotting the security “i”s and crossing the security “t”s. The less security “friction” the better, because the more you can…


A Conversation About Threat Modeling

This was fun to write; in fact, other than minor edits I wrote it in a single two hour sitting with my laptop by the pool 🙂


Ken Johnson (Skywing) joins Microsoft

Following close on the heels of security experts Matt Miller, Adam Shostack and Crispin Cowan joining Microsoft, I am pleased to announce that Ken Johnson, AKA Skywing, has joined our group.   Ken brings an enormous amount of reverse engineering and defense-subversion skill to Microsoft. Ken will be working on anything and everything related vulnerabilities, exploits,…


Free Download: Writing Secure Code for Windows Vista

“For 25 years, Microsoft Press books have focused on helping you take your skills and knowledge to the next level. Celebrate our 25th Anniversary with a “Free E-Book of the Month” offer! Simply sign up for the Microsoft Press Book Connection Newsletter for notification of offers, register, and download the selection of the month.”…