A Proactive Approach to Building a Successful Security Development Lifecycle Program

At this point most of you have heard about the Microsoft SDL and some of activities and deliverables associated with it. However, I still receive a number of questions, specifically, how and where development organizations can start deploying SDL. Good news!   One of the new Microsoft SDL Pro Network members, Security Innovation, has invited me to address…


Improvements in Office Security

David LeBlanc has an excellent write-up of the results (so far) of all the security work the Office guys have been doing over the last few years. Net: about a 50% reduction in vulns!


Volume 5 of the Microsoft Security Intelligence Report is out

Volume 5 of the Microsoft Security Intelligence Report is now out, highlights include: Security vulnerability disclosures – Microsoft and third-party software Vulnerability Exploits – Microsoft software Browser-based exploits – Microsoft and third-party software Security and privacy breaches Malicious and potentially unwanted software trends Volume 5 of the SIR also includes a detailed examination of the…


Security-Related MSDN Magazine Articles

Bryan Sullivan and I wrote a couple of articles for this month’s MSDN Magazine. If you’re not aware, November focuses on Security. The two articles are: Test Your Security IQ Threat Models Improve Your Security Process   And there’s the Agile SDL paper than I already mentioned.


Agile SDL

Over the last year or so, a bunch of us in the SDL team have been working with agile groups across Microsoft to help streamline the SDL for agile methods. Bryan Sullivan wrote a paper for MSDN Magazine explaining where our current throughts lie. Clearly this is just the start, we have some more work…


SAFECode releases "Fundamental Practices for Secure Software Development" document

Today, SAFECode released an important document entitled, “Fundamental Practices for Secure Software Development” aimed at helping software producers create more secure software. The document is unique in that it describes what SAFECode members are doing in practice to raise the security bar; it’s not a theoretical or academic document. I believe the fact that it…


Practical Defense in Depth

<sent from Cabo San Lucas Airport – heading back to Austin > Crosstalk has published an article for mine regarding how we use Defense in Depth within the SDL, and in Microsoft in general.


Twitter Feed

I’ve been doing this Twitter thing for a while now – I really like it, folks can get a feel for what you’re up to each day. If you’re interested, you can see what I’m up to by clicking ‘Follow’ at https://twitter.com/michael_howard


SDL Evolution

 UPDATED: Added IOActive post As many of you have seen today, there’s been plenty of press about us opening up the SDL for use by other software developers and releasing our threat modeling tool. For those of you who have no clue what the heck I’m talking about, here are a handful of articles about what…