Michael Howard's Web Log
A Simple Software Security Guy at Microsoft!
Developing More-Secure Microsoft® ASP.NET 2.0 Applications Now Available
A new book in the Secure Software Development Series, this time from Dominick Baier is now available...
Author: Michael Howard Date: 10/04/2006
The Sardonic Mr. Jones
If you have not read Jeff Jones' blog recently, you really should. He has a few thought-provoking...
Author: Michael Howard Date: 10/03/2006
Silver Bullet Security Podcast Interview
Gary McGraw (CTO of Cigital, and author or co-author of many security books, including Building...
Author: Michael Howard Date: 09/29/2006
Whatever Happened to sprintf(..., “%n”,...)?
You may have noticed that if your code calls functions in the sprintf family and the format template...
Author: Michael Howard Date: 09/28/2006
Visual Studio 2005 SP1 Beta, Windows Vista and ASLR
Today the Visual Studio 2005 team released Service Pack 1 Beta. Included in the beta is the new...
Author: Michael Howard Date: 09/26/2006
A Chronology of Data Breaches
A fascinating read https://www.privacyrights.org/ar/ChronDataBreaches.htm.
Author: Michael Howard Date: 09/22/2006
Gamefest Presentations now available
In August I gave a presentation at Gamefest 2006 about secure coding practices and design. You can...
Author: Michael Howard Date: 09/14/2006
“Hunting Security Bugs” now available from Microsoft Press
This is a new security book from MSPress that focuses on security testing. I read some of the...
Author: Michael Howard Date: 09/08/2006
Miscellaneous Windows Vista Security Stuff
I just noticed these blog posts related to Windows Vista security that may interest y'all. Built-in...
Author: Michael Howard Date: 08/31/2006
New Security Resources Available
These papers are aimed at IT type folks and non-technical users. Skip this blog post if you're a...
Author: Michael Howard Date: 08/25/2006
Protecting against Pointer Subterfuge (Redux)
In a prior post, "Protecting against Pointer Subterfuge (Kinda!)" I described the algorithm we used...
Author: Michael Howard Date: 08/16/2006
“Microsoft Dynamics Writing Secure X++ Code” Paper now available
In June 2006, Microsoft released Dynamics AX 4.0, which was the first full version to be developed...
Author: Michael Howard Date: 08/10/2006
Some of us are NOT in Las Vegas!
I suppose someone has to keep the home fires burning! Seriously, it's great to see the Windows Vista...
Author: Michael Howard Date: 08/04/2006
A Process for Performing Security Code Reviews
I wrote an article about performing security code reviews that appears in the July/August 2006...
Author: Michael Howard Date: 08/02/2006
External Security Testing and Windows Vista
On many occasions I have mentioned that we enlisted the help of a number of third-party security...
Author: Michael Howard Date: 07/30/2006
Dave G. at Matasano comments on Vista TCP/IP Stack
Very interesting counterpoint to the recent Symantec paper about the TCP/IP stack in Windows Vista.
Author: Michael Howard Date: 07/21/2006
Interview with the Open Source Software Lab
Last week Sam Ramji, Directory of the Open Source Software Lab here at Microsoft, swung by my office...
Author: Michael Howard Date: 06/30/2006
Adam Shostack Joins The Team!
Following close on the heels of James Whittaker joining our group, I am delighted to announce that...
Author: Michael Howard Date: 06/26/2006
Matasano Interviews IE Lead PM Christopher Vaughan
Chris is a top guy, this is a good read....
Author: Michael Howard Date: 06/20/2006
Windows Vista Security – A Bigger Picture
A couple of people have asked about the relationship between /GS, SAL and ASLR in Windows Vista....
Author: Michael Howard Date: 06/12/2006
Windows Vista Address Space Layout Randomization – What is Randomized?
A couple of people asked what “on by default” means with regards to ASLR in Windows Vista. The...
Author: Michael Howard Date: 06/06/2006
Microsoft under attack - and it's not what you think
I really never thought I would see this day! But this is a very interesting read. "..open source...
Author: Michael Howard Date: 06/02/2006
SDL book is shipping!
I have in my paws a copy of the Security Development Lifecycle book... :) And I am told boxes of...
Author: Michael Howard Date: 06/02/2006
Address Space Layout Randomization in Windows Vista
Windows Vista Beta 2 includes a new defense against buffer overrun exploits called address space...
Author: Michael Howard Date: 05/26/2006
Windows Vista Security Enhancements
A paper has just been made available that outlines some of the security improvements in Windows...
Author: Michael Howard Date: 05/25/2006
PREfast, SAL and the Windows SDK
In a prior article I wrote about the benefits of the Standard Annotation Language (SAL) available in...
Author: Michael Howard Date: 05/23/2006
Online Crypto Class Available
Caveat: This is my first blog posting from within Office 2007 beta 2, so I hope it comes out ok!...
Author: Michael Howard Date: 05/22/2006
A Brief Introduction to the Standard Annotation Language (SAL)
Introduction Even though a prior blog I wrote “Code Scanning Tools Do Not make Software Secure” may...
Author: Michael Howard Date: 05/19/2006
Privacy Breach Impact Calculator
Cute!...
Author: Michael Howard Date: 05/08/2006
SetSAFER and .NET Framework 2.0
Ages ago I wrote a surprisingly well read couple of articles about dumbing down an admin token and...
Author: Michael Howard Date: 05/08/2006
New hire into our group - James Whittaker
I’m pleased to announce, actually I’m thrilled to announce, that James Whittaker has joined our...
Author: Michael Howard Date: 05/05/2006
A New Book: The Security Development Lifecycle (Microsoft Press, 2006)
Much to my wife’s chagrin but to my delight I have just completed another book, this time with my...
Author: Michael Howard Date: 04/28/2006
Two factor authn
Steve Riley asked me to post this little plea. Turns out he wants to know what YOU want from...
Author: Michael Howard Date: 04/21/2006
Non-admin best practices in Windows XP
I was just going over some old email, and I found this from some of the games folks at Microsoft....
Author: Michael Howard Date: 03/24/2006
Regulatory Compliance Demystified
A worthy read Regulatory Compliance Demystified: An Introduction to Compliance for Developers
Author: Michael Howard Date: 03/23/2006
An Interesting Observation from Bluehat #3
Last week I attended Bluehat; we hold these events twice a year and get some of the more interesting...
Author: Michael Howard Date: 03/16/2006
A useful primer to Integer overflows/underflows
From a presentation by a security contractor on campus: 1 bottle of beer on the wall, 1 bottle of...
Author: Michael Howard Date: 03/10/2006
Security Analogies are usually Wrong
I have long believed that if someone makes an argument and uses an analogy, then the argument is...
Author: Michael Howard Date: 03/09/2006
Microsoft Anti-Cross Site Scripting Library V1.0 Available
I like this class library because it looks for "good things" and not "bad things." The most common...
Author: Michael Howard Date: 02/27/2006
List of useful security libraries
I was asked last week for a list of "drop-in-and-more-secure" replacements, created at Microsoft,...
Author: Michael Howard Date: 02/27/2006
Windows Defender Beta 2 is out!
I've been using this for a few months now on my own machines, and on my wife's machine at home. The...
Author: Michael Howard Date: 02/14/2006
Pulverize, Incinerate and Disintigrate
Any federal document that contain words like: Pulverize, Incinerate and Disintigrate always gets my...
Author: Michael Howard Date: 02/08/2006
Safe Integer Arithmetic in C
There has been plenty of literature written regarding integer arithmetic issues and security bugs....
Author: Michael Howard Date: 02/02/2006
An Update on David LeBlanc
As you probably all know, David is a very good friend of mine and we have authored some popular...
Author: Michael Howard Date: 02/01/2006
New Internet Explorer 7 Beta 2 Preview available
I've been using the current builds for ages now, here's my top reasons for using IE7 (beyond pure...
Author: Michael Howard Date: 01/31/2006
Protecting against Pointer Subterfuge (Kinda!)
When exploiting a buffer overrun vulnerability, the goal of an attacker is usually to change the...
Author: Michael Howard Date: 01/31/2006
How long will that crypto key be useful?
One of the crypto guys here pointed this out to me last night, it's kinda cool. A small web-app to...
Author: Michael Howard Date: 01/27/2006
Blue Hat 2005 - Security Researchers come to Microsoft
From https://channel9.msdn.com/Showpost.aspx?postid=157668 "This Fall, Microsoft hosted the second...
Author: Michael Howard Date: 01/26/2006
Code Scanning Tools Do Not Make Software Secure
There has been a lot of press recently about using ‘code scanning’ tools to find security bugs in...
Author: Michael Howard Date: 01/26/2006
CERTs Virtual Training Environment
CERT has released a Web-based library for information assurance, forensics and incident response....
Author: Michael Howard Date: 01/25/2006