Wresting free from a software straitjacket

There’s an interesting article over at C|Net about security in general, and Microsoft and the SDL in particular. One thing the author points out as important is BillG’s Trustworthy Computing memo. IMHO, here’s why such an email is so important. If you don’t get the senior management team to buy off on this security engineering…


Which Database is More Secure? Oracle vs Microsoft

I was quite surprised when a number of folks criticized the data used in the report titled “Microsoft SQL Server Runs the Security Table” from ESG – it was just CVE data! Well, David Litchfield has done some of his own research, and created a report comparing SQL Server and Oracle. David is no slouch, he…



I received a number of emails about the ‘eXPired’ poster on my office door, heck it even made “Quote of the Week” in the Seattle Post-Intelligencer (scroll to the bottom.) So here it is (click for a bigger image) As for Tigger – he’s my mood indicator!


Microsoft SQL Server Runs the Security Table

In my opinion, SQL Server 2000 SP3, SQL Server 2005 and IIS6 have been the poster-children for SDL. Enterprise Strategy Group just released a research paper comparing the security of SQL Server with Oracle and MySQL. And no, this was not commissioned by Microsoft!


Symantec’s "The Mac OS X Threat Landscape: An Overview"

This is probably the most in-depth analysis of Mac OS X security I’ve ever read. It’s a worthwhile read. I was especially fascinated by the last section on preventative measures because we’ve spent so much time on this stuff in Windows Vista, and it’s all enabled by default, yet Apple has chosen to not do this…


Jim’s Comments about Windows Vista and Antivirus software

When I read the interview “Allchin Suggests Vista Won’t Need Antivirus” with Jim Allchin I shuddered, and then I realized he’d been taken out of context. Jim is no fool. Anyway, he’s responded, and I’m happy to see he has.   Long time Microsoft watcher, Mary Jo Foley, concurs. Oh, and for what it’s worth. My…


Microsoft hosts OEM partners for a crash-course in SDL (Day Three)

So, the final day of the SDL sessions for our OEM partners is complete… My biggest observation was these guys were utterly engaged, and by that I mean writing copious notes and asking some very pointed and deep questions. The companies could have sent junior people to this event simply to pay lip service to security,…


Microsoft hosts OEM partners for a crash-course in SDL (Day Two)

Day two of the SDL training session for OEMs went well.  James Whittaker led the discussion for the first half of the morning, discussing security testing.  His main point was that testing for security requires a diffferent mind set – you still have to rely on conventional testing techniques, but you also have to take…