Never Thought I’d Still be Dealing with This: Insecure ActiveX Controls!

Over the last couple of months, I have worked with some customers still using custom-written ActiveX controls, and in more than one instance, the controls were vulnerable to attack. One customer asked how they can go through their controls quickly to triage which controls to review first. As a general rule I look to see…

1

Understanding that Microsoft Azure PaaS and IaaS defenses are often different

I received many comments from people asking me to clarify the following line from my previous blog post: The threat model makes the delineation explicit, and this is more pronounced when considering IaaS defenses and PaaS defenses, which can often be quite different. So, I want to spend a little time explaining what I mean…

0

Cloud-based Solutions, Threat Modeling and Shared Security Responsibility

Almost 100% of my security work these days involves helping customers deploy their solutions on Microsoft Azure with confidence. It’s an interesting, subtle twist on the use of the Microsoft Security Development Lifecycle (SDL). My SDL work has gone from being “it’s the right thing to do” (which it still is, but humor me) to…

2

Refactoring C and C++ Code for Security

I have been programming in C and C++ since I was 15 years old. And no, I won’t tell you how long ago that was! I have always loved both languages, and still do, but when the first internal pre-releases of Visual Studio 2013 came out, I selected C# as my prime language. To be…

1