Are you interested to learn how Windows 7 (next version of Windows) is engineered? Are you willing to get in touch with the engineering team? Then read their blog: Engineering Windows 7
Roger
I just read an interesting post by Michael Howard (Security is bigger than finding and fixing bugs). He refers to a statement Google seem to have made on its development practices (Google shares its security secrets):
In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value'. The programme includes mandatory security training for developers, a set of in-house security libraries, and code reviews both by Google developers and outside security researchers.
This reminds me of the days back at University: I learned a hell lot about Software Engineering, Data Modeling and stuff like that. Well, I learned about programming as well (up until I was able to look at Niklaus Wirth's Modula-2 compiler – but this is a different story). And then I started my first job in the industry – and all of a sudden I had to learn that there nobody actually cared about a design. Just write the code! Nobody "had time to do a design on paper, this is just a waste of time". Did it work? Not really.
Now, we are coming to security and what do we do: Look at the code. Look for security vulnerabilities in the code. What about the design? What about the threat models? This drives me nuts: Why are we not ready to learn from…
I know that our Security Development Lifecycle is pretty successful which can be shown by a lot of different metrics – Michael gives a few in his blog. Additionally, we are working with SafeCode to share the experience and learn from others. Why do other companies not join in?
We all know that crime is global and that they are doing their best to leverage the legal shortcomings and the limitations of the cooperation between Law Enforcement agencies. There is a good article about one case in the New York Times which is definitely worth reading:
Global Trail of an Online Crime Ring
At Blackhat we announced an important change to our Security Bulletins becoming effective during the October release.
One of the requests we often heard talking to our customers is, that they would like to get better information on how hard it is to exploit a vulnerability. We will introduce an Exploitability Index by October. Basically we will give you three values on each vulnerability addressed:
I hope that this makes live for you easier when assessing our updates.
If you would like to get more information, read the fact sheet.
As always, your feedback is very welcome
If you ever heard me keynote an event you know that one of the key messages I have is, that partnerships are necessary in order to be able to protect against today's threats.
At Black Hat USA we just announced a new program called Microsoft Active Protections Program. The program is designed to give security vendors advance notification of our security bulletin release. This will help our partners to be able to protect our joint customers against the vulnerabilities we are fixing. The reason why we decided to launch this program is that exploits are developed much faster than they were in the past and security vendors have to act very fast – so let's give them some additional time and try to get ahead of the curve.
The key question will definitely be, who is eligible to join this program. The fact sheet gives you the answer:
Our teams around the Microsoft Security Response Center recently launched a new blog called MSRC Ecosystem Strategy Team Blog. The blog is thought to give more insights into the work we do with the security ecosystem knowing that vulnerabilities and attacks today not "only" affect Microsoft products but very often the Internet as such – just look at the DNS vulnerability.
Something that would definitely be worth looking at: http://blogs.technet.com/ecostrat/default.aspx
It is not really news anymore as it broke during my vacation. However, it is important from my point of view:
We are a proud sponsor (and not for the first time) of the Privacy Enhancing Technology Awards, which recognizes the work of researchers in the area of Privacy Enhancing Technologies. There was a press article published on that: Privacy to the Test - Exploring the Limits of Online Anonymity and Accountability
Yes, I am back. I was on vacation and therefore did not take the time to blog.
Just briefly: IBM published a pretty good article on the latest DNS attacks. You can read it here: Responding to the DNS vulnerability and attacks
As always: It is the second Tuesday of the months and we released the Security Updates. However, this month is special from one perspective: We released an update for the DNS resolver, which is released simultaneously by a lot of DNS vendors with the same vulnerability. Here are some technical details about this vulnerability on the SWI blog: MS08-037 : More entropy for the DNS resolver . If you want to get some additional details on the vulnerabilities we fixed, the SWI blog might be a very good source: Security Vulnerability Research & Defense
Yes, I know: It is US-only at the moment but it might nevertheless pretty interesting for you: We announced yesterday that we will launch a subscription-based Office version called Equipt. Here is an extract from the announcement:
Initially code-named "Albany," Microsoft Equipt offers consumers Microsoft Office Home and Student 2007, giving them the latest versions of Word, Excel, PowerPoint and OneNote for their personal and school projects; Windows Live OneCare, the all-in-one security and PC management service; Windows Live tools, such as Windows Live Mail, Windows Live Messenger and Windows Live Photo Gallery so they can connect and share with people they care about most; and Office Live Workspace, a new service from Microsoft that makes it easy to save documents to a dedicated online Workspace and share them with friends and classmates. Anytime a new version of Office or Windows Live OneCare is released, Microsoft Equipt customers will get the version upgrades as part of their subscriptions.
I am looking forward to this offering so that I can use it for my parents and keep them on the latest version all over the place. It will be $69.99 in the US.
Here is the press announcement