Alex Hutton posted this follow up on my first post about checklists. He is of course spot on. Checklists in my humble opinion can provide a State of Nature, but can’t provide a State of Knowledge or a State of Wisdom (nice phrases). They certainly don’t do computation or analysis but what they do is [...]
Archive for the 'Software Security' Category
More On Checklists
June 12, 2008Counting What Really Counts
June 10, 2008Counting What Really Counts
Adapted from an article by Harry Robinson, Six Sigma test productivity program manager at Microsoft and sent to me by Daisy Huss on the ACE Team
The original article was published in Interface in December 2001.
Scene one. You are picnicking by a river. You notice someone in distress in the water. You [...]
Patterns & Practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF
June 8, 2008My cool security friend JD has done it again (in BETA).
http://www.codeplex.com/WCFSecurityGuide
These things are the definitive guides to the topic. Masterpieces!
Download the Improving Web Services Security Guide(BETA)
93.75% of Vulnerabilities Are Undisclosed
February 12, 2008I just love this pragmatically argued “Back of the Envelope” theory by Pete Lindstrom.
Hello SecureWorld
January 25, 2008Virtual labs, Videos and more
http://www.microsoft.com/click/hellosecureworld/default.mspx
You Have to Admire the Way KP Builds Companies
January 19, 2008Something makes me smile, something makes me cringe. I am not sure which way is which; either way you have to admire the way Kleiner Perkins builds companies. Is the future of security start-ups all about the bling? (Apparently Perkins now lives near me in East Sussex BTW!)
The New Face of Cybercrime: Video Here.
Generating a Security Code Review Checklist in Outlook 2007
January 17, 2008My colleague and legendary Hummus eater Alik Levin (that’s my plate at lunchtime today but rumours are that he once ate two) has written an excellent post about how to use the Guidance Explorer to generate a checklist while performing security code reviews.
His first post on his personal blog is here and a more comprehensive [...]
From the Office of "Real World Software Security"
January 10, 2008When a customer development team was recently asked to use the AntiXSS library, validate input and encode output for their web interface they replied (and I quote) “we do not use cross site scripting”.
If any customer ever asks the single most effective thing to affect a positive change on their software security security program I [...]
Security Policies in the Application Development Process
January 9, 2008New article from John Steer on my team
Security Policies in the Application Development Process
Developer Highway Code
December 13, 2007The new version of the Developer Highway Code is now out here.
Recent Comments