Latest Microsoft Blogs

I've been working hard to get more security related work back into my schedule. And so..... I'm starting a new "season" of the Digital Blackbelt webcast series. If we get enough interest I'll do some give-a-ways and such ! SIGN UP NOW !!!! Here are the first 3 dates ! 11/3/2008; 11:00 AM (PST) Convincing Management: The Business Case for Adding Security to the Development Life Cycle [ Click HERE to Register ] 11/10/2008; 11:00 AM (PST) Security Development Lifecycle: Building an Intentionally Secure Development Process [ Click HERE to Register ] 11/24/2008; 11:00 AM (PST) Threat Modeling for Software Developers [ Click HERE to Register ] Read More...

The Deep Fried Bytes guys caught up with me at DevLink and we had a talk about developer security needs, mistakes, activities, etc ! Listen Here http://deepfriedbytes.com/ Read More...

As Scott wrote last week , using a punny title I have to admire, he and I (among many others) were both the subject of a DoS (Denial of Service) attack. Looking through my logs, it looks to actually be a DDoS (Distributed Denial of Service) attack coming from multiple IP addresses. The attack appears to actually be an attempt at a SQL Injection attack, but for his blog, which stores its data in XML files, that is entirely pointless. For my blog, which doesn’t do any inline SQL, it’s also mostly pointless. So far, the SQL injection part of the attack has failed, but it has succeeded in pegging my CPU. Maybe that’s the actual intended goal. Only the attacker knows. LogParser Queries The first clue (besides my site being down) is that my log file...

#8 | Changing Membership Settings in the Default Membership Schema #9 | Configuring SQL To Work with Membership Schemas #10 | Understanding ASP.NET Memberships [ Get them here ] Read More...

Dolores Labs posted recently " Amazon’s S3 Web Service, our #1 cause of failure " [ Click HERE to READ ] Amazon.com is a great company and a early innovator in the Web Services Community. (God knows I send them ALOT of money.) So this is not an indictment of Amazon as a technology provider. In fact, it is because a Amazon is a great company with a solid infrastructure that this is significant. As Geeks, we tend to get all jazzed about the latest buzz - and cloud computing is certainly one of them. But, I think it's important to remember, while services in the cloud can be very cost effective. You can't control the cloud. When you build it and own it you always have options when you're not getting the service level you need...

Please checkout the first videos in my new Web Developer's Security Video Series. http://www.asp.net/learn/security-videos/ I'm hoping to do 100 Videos this year ! PLEASE SEND YOUR REQUESTS !!! Read More...

For many years I've had an interest in and a focus on Application Security. Now, I'll be ramping up and doing a bunch of security related work in my role here at Microsoft. I hope you will add www.SecureDeveloper.com to your blog reader. I expect to include coverage of topics of interest to Web Developers, Server Admins, Rich Client Developers and RIA Devs. As always, please feel free to send your requests and suggestions !! Read More...

I was just reading Soma’s blog post How vulnerable are software applications? and it really makes you think about how and what you create as an application designer.  According to a 2005 FIB survey, U.S. businesses lost $67.2 billion because of cyber...

T Check out this 2 day security brain fest. It happens to be right after Black Hat in Vegas. See you there ? The LifeCycleSecurity conference was started to provide a venue where professionals in the Application Security industry can learn from each other's experiences. We will be addressing security from the server to the browser. Application Security : We will have topics that address how professionals are creating systems that are resistant to attacks against the web application layer and the systems that support these web applications. Browser security: With the increase in attacks against browsers such as malware and other attack vectors, protecting your users is more important than ever. This is increasingly being done with content...

When we implemented claim based authorization in LitwareHR, we had to write a lot of code and play with non-trivial configurations (LitwarehR includes 2 STS and all the supporting infrastructure for securing the web services and the callers to them). Not being a security expert myself, I found the “theory” behind this amazingly simple and powerful, but the “practice” quite complex. The good news is that all this just got much easier with the release of “Zermatt”: “Zermatt” is a .NET developer framework and SDK that helps developers build claims-aware applications to address today’s application security requirements using a simplified model that is open and extensible, can improve security, and boosts productivity for developers.  Developers...