Programmers are also people who also make mistakes

It's the first part of our talk with Daniil Svetlov at his radio show "Safe Environment" or "Safe Wednesday" - kind of wordplay in Russian recorded 29.03.2017. We were discussing why Software Vulnerabilities are everyone's problem. Full video in Russian without subtitles is available here. I adde...

Rescanning Applications with RIPS

Benefits One of the most important things in modern application development is to think about security in every step of the development lifecycle. Beginning with the start of the development right up until the continued deployment of patches and features - security is important in all stages of a...

Students Built Open Source Web-Based Threat Modeling Tool

Threat models help application developers answer some fundamental questions about potential risks and how to cut off vulnerabilities before they’re put into production. Some software development lifecycles, however, don’t include threat modeling as part of the code-building process because they’v...

Lessons Learned in Building a Vulnerability Coordination Program

CANCUN – Bounty programs are mislabeled creatures, too often pigeonholed as a payoff for finding individual vulnerabilities in software. Wrong. “The name bug bounty is actually a false categorization of what is truly just an incentive program,” said Katie Moussouris, chief policy officer at...

Microsoft Shuts Down Patch Tuesday Advanced Notifications

Microsoft today pulled the plug on its Advanced Notification Service ANS, offering it going forward only to paying Premier customers. ANS preceded the release of Microsoft’s monthly Patch Tuesday security bulletins; on the Thursday prior, Microsoft would provide users via its security website a...

As Bug Bounties Become the Norm, Challenges Remain

SEATTLE–For many years, Microsoft and other large software vendors resisted the idea of providing bug bounties or other financial incentives for researchers to report vulnerabilities. That changed when the landscape began to shift and more researchers began reporting vulnerabilities through broke...

Charney on Trustworthy Computing: 'I Was the Architect of These Changes'

Scott Charney, the head of Microsoft’s Trustworthy Computing efforts, said that he was the one who decided it was time to move the TwC group in a new direction and integrate the security functions more deeply into the company as a whole. “I was the architect of these changes. This is not about th...

Web Application Security Begins with Programming Language

When building an enterprise Web application, the most foundational decision your developers make will be the language in which the app is written. But is there a barometer that measures the security of the programming languages developers have at their disposal, or are comfortable with, versus...

Disconnect Between Application Development and Security Getting Wider

There is a widening gulf between application developers and security decision makers inside the enterprise, and it’s starting to cost companies serious money. Sure there’s been lots of talk about the need for better static and dynamic web application testing tools and the need for a formalized...

Microsoft Releases Attack Surface Analyzer Tool

Microsoft has released a public version of its internal Attack Surface Analyzer tool, which helps organizations identify changes to a system’s attack surface as new applications are added. The tool has been in beta for a few months, but this is the first official release. The Attack Surface...

Microsoft's SDL Expands Beyond Redmond

It’s been more than 10 years now since Microsoft began the initiative that would eventually become Trustworthy Computing, and while the effects it’s had inside the company have been well documented, the utility and adoption of the Security Development Lifecycle by outside organizations and...

The Past, Present and Future of Software Security

Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security. At the start of the 2000s, software security was a small, arcane field that often was confused with security software. But several things happened in the early part of the...

Microsoft Releases New Versions of Software Security Tools

Microsoft has released new versions of several of its software security tools, including its Threat Modeling Tool and a pair of fuzzers. All of the tools are part of the company’s Security Development Lifecycle program, which it has been sharing with external organizations for a few years now...

Making an Application Security Program Succeed, Part Two

“Failure is only the opportunity to begin again, only this time more wisely,” is a quote attributed to legendary automaker Henry Ford. While it seemingly has nothing to do with secure application development, all you need to do is talk to a handful of enterprises who have tried to implement a...

Microsoft Cites Progress in SDL Report, Advocates More Adoption of ASLR, DEP

In the more than nine years since Bill Gates’s Trustworthy Computing email kicked off Microsoft’s comprehensive, company-wide security initiative, the company has not only committed a tremendous amount of money and resources to the project but also has been quite open and public about the process...

NSA: Our Development Methods Are in the Open Now

WASHINGTON–Despite its reputation for secrecy and technical expertise, the National Security Agency doesn’t have a set of secret coding practices or testing methods that magically make their applications and systems bulletproof. In fact, one of the agency’s top technical experts said that virtual...

SmarterMail 7.2.3925 - LDAP Injection

SmarterMail 7.2.3925 - LDAP Injection Vendor: smartertools.com SmarterMail 7.x 7.2.3925 Date: 2010-10-01 Author : David Hoyt sqlhacker – Hoyt LLC Contact : [email protected] Home : http://cloudscan.me Dork : insite: SmarterMail Enterprise 7.2 Bug : LDAP Injection + Cross Site Scripting STORED Test...

Microsoft Tries to Boost SDL Adoption

Microsoft is trying to boost adoption of the software security practices in its Security Development Lifecycle by releasing a revised set of instructions to make implementation of the process easier and faster. At the Black Hat DC conference on Tuesday, the company announced the release of its...

Steve Lipner on the Microsoft SDL and Windows 7 Security

Dennis Fisher talks with Steve Lipner of Microsoft about the Security Development Lifecycle, changes in the threat modeling process and the security of Windows 7. Podcast audio courtesy of sykboy65 Subscribe to the Digital Underground podcast on...

Microsoft Pushes for Better Software Security Practices

WASHINGTON–Microsoft has spent several years and untold millions of dollars working on methods to write more secure and reliable software, and now the company is encouraging other organizations to make the same investment in software security. One of the outputs of the company’s software security...