External News

Browse by Tags

• Critical Infrastructure Protection
• Cybercrime
• Events/Training
• Incidents
• Industry Associations
• Microsoft
• Microsoft Products
• Patch Management
• Policy
• Technology
• trends

• Only 1.91% of PCs are patched!

  Well, honestly, I am not completely clear how statistically relevant this data point is. I just read it in a secunia blog where they published figures of users of their free solution. This is data of the last few weeks and looks into the results of the... Posted Dec 04 2008, 10:59 AM by TechNet Blogs Filed under: Security, Patch Management, Processes

• Security Risks in the Supply Chain?

  At the moment I am travelling through the Gulf in order to launch the Security Intelligence Report v5 with local data. During one of the discussions today, a question was raised which I was thinking about quite some while (but – honestly - do not have... Posted Nov 24 2008, 09:40 AM by TechNet Blogs Filed under: Security, Cybercrime, Processes, Incidents, Critical Infrastructure Protection

• SAFECode released „Fundamental Practices for Secure Software Development”

  SAFECode just released a new paper called Fundamental Practices for Secure Software Development . This is a collaboration of different people from different companies (SAP, EMC, Symantec, Juniper, Nokia and Microsoft). As you probably know, SAFECode is... Posted Oct 08 2008, 02:35 PM by TechNet Blogs Filed under: Security, Microsoft, trends, Processes

• Secure Development: More than „just“ code!

  I just read an interesting post by Michael Howard ( Security is bigger than finding and fixing bugs ). He refers to a statement Google seem to have made on its development practices ( Google shares its security secrets ): In order to keep its products... Posted Aug 18 2008, 04:09 AM by TechNet Blogs Filed under: Security, Processes

• Security through Collaboration

  If you ever heard me keynote an event you know that one of the key messages I have is, that partnerships are necessary in order to be able to protect against today's threats. At Black Hat USA we just announced a new program called Microsoft Active... Posted Aug 06 2008, 09:35 AM by TechNet Blogs Filed under: Security, Microsoft, Policy, Processes, Incidents

• New Information on SQL Injection Attacks

  I just wanted to make sure that you have seen the Advisory ( Rise in SQL Injection Attacks Exploiting Unverified User Data Input ) where we added some additional information. This is especially important as we did not "only" publish guidance... Posted Jun 24 2008, 03:38 PM by TechNet Blogs Filed under: Security, Processes, Incidents

• Money talks in Security – Does it?

  Often, when I talk to security people, they are telling me that if they would have more budget and money available, the problem would be much lower. Now, I have been in Qatar last week, one of the richest countries in my region. If you look at the GDP... Posted Jun 15 2008, 01:42 PM by TechNet Blogs Filed under: Security, Processes

• Security Compliance Management – Solution Accelerator Available

  I wrote about it as we released the Beta. Now, the Solution Accelerator for Security Compliance Management is live and available. It is definitely worth looking at it: Security Compliance Management . Just to quote from the webpage: In today's IT... Posted Jun 07 2008, 08:16 AM by TechNet Blogs Filed under: Security, Processes

• The latest SQL Injection Attacks

  Well, there was quite some chatter over the last few weeks with regards to the massive defacements we saw based on SQL Injection Attacks. So, what was really new? Close to nothing. Well, this is not completely true. The new thing we have seen with these... Posted May 30 2008, 02:39 AM by TechNet Blogs Filed under: Security, Technology, Processes, Incidents

• How to sell security

  I just read this essay by Bruce Schneier: How to Sell Security . This is definitely a must-read in my opinion. Not that it really tells you how to sell it but it helps you to understand the "mechanics" about it. Roger Share this post: Read More... Posted May 27 2008, 04:45 AM by TechNet Blogs Filed under: Security, Processes

• Selling Vulnerabilities and Ethics

  Shoaib just blogged on Hacking & Security Community - Ethical or Unethical? . To start with: I do not claim that I know all about ethics and that there is only one view on ethics but I have a clear view on certain things. I blogged on this theme several... Posted May 18 2008, 02:19 PM by TechNet Blogs Filed under: Security, Cybercrime, Processes

• The Debate on Security Metrics

  Recently I was sitting on a panel which was pretty heterogeneous: There was a representative from IBM (actually from former ISS), customers, a representative from the Open Source community (who actually, during his presentation always said how bad our... Posted May 09 2008, 02:58 AM by TechNet Blogs Filed under: Security, Microsoft, Processes

• How Microsoft IT does Threat Analysis

  I wrote on that already earlier. We make processes and tools available how we internally do Threat Modeling. To make it clear: this has nothing to do with the Security Development Lifecycle but much more with Microsoft's own IT department. The reason... Posted May 05 2008, 10:49 AM by TechNet Blogs Filed under: Security, Events/Training, Processes

• Best Practices for Microsoft PKI & Certificate Management

  You might know Brian Komar. He wrote numerous books on PKI and Certificate Management and he is a well-known speaker at quite some events like TechEd and IT Forum. Now, nCipher organized a Webimar on Best Practices for Microsoft PKI & Certificate... Posted Apr 29 2008, 02:19 PM by TechNet Blogs Filed under: Security, Technology, Microsoft Products, Processes

• The ideal profile of a CSO

  I was in Bratislava this week for an IDC Conference. During these kind of events I often talk to the press as well. Additionally I had this time the opportunity to talk to a pretty well-known blogger in Slovakia called Jozef Vyskoč . You may have a look... Posted Apr 18 2008, 01:00 AM by TechNet Blogs Filed under: Security, Processes

• SDL and End to End Trust

  Last week we published – as you hopefully know – our "End to End Trust" whitepaper. If not, please read my blog post on it J Now, Eric Bidstrup just commented on End to End Trust in the light of the Security Development Lifecycle (or better: the other... Posted Apr 17 2008, 08:48 AM by TechNet Blogs Filed under: Security, Microsoft, Processes

• The Death of the DMZ = The Death of the Castle

  Since quite some time we are talking about the "Death of the DMZ". This seems a little bit provocative but I am convinced that it is coming very closer to the truth. Do not get me wrong: I do not think that you should replace your firewall with routers... Posted Apr 01 2008, 07:10 AM by TechNet Blogs Filed under: Security, Processes

• A New Model to Taylor your Testing

  I guess you know the problem: You ran a development project and have to test the code (if the testing phase did not already have to be cut significantly as you ran out of time – too often seen with projects at customer sites…). A German research now has... Posted Mar 15 2008, 05:01 AM by TechNet Blogs Filed under: Security, Processes

• Oracle’s answer with regards to Security Patches

  You probably remember my post regarding Oracle DBAs rarely install patches . It was about a study where Sentrigo claimed (after having asked 305 people) that more than 2/3 of Oracle DBAs do not install the patches provided by Oracle. Now Oracle recently... Posted Feb 04 2008, 09:42 AM by TechNet Blogs Filed under: Security, Policy, Processes, Incidents

• CERT’s Secure Coding Standards

  Something that might be worth looking at: Carnegie Mellon's CERT just published two Secure Coding Standards: One for C++ and one for C . I had no chance to look into this and understand how this compares to our Writing Secure Code but it is definitely... Posted Jan 24 2008, 02:44 AM by TechNet Blogs Filed under: Security, Processes

• Oracle DBAs rarely install Patches

  Wow, this is scary: A company called Sentrigo just published a study about how DBAs patch Oracle databases . Even though you could challenge their findings (they asked only 305 people) and therefore only shows half the truth, it is really scary (I quote... Posted Jan 15 2008, 02:43 AM by TechNet Blogs Filed under: Security, Processes

• There it is – the security Silver bullet

  I love that: There is finally software that is free of bugs and completely secure. Hmm, this kind of reminds me of the world-famous marketing campaign of a big software company which called itself "unbreakable". However, let's be fair: There is an article... Posted Jan 12 2008, 05:43 AM by TechNet Blogs Filed under: Security, Processes

• Analysis of recent vulnerabilities

  Michael Howard just wrote a post about recent vulnerabilities of third-party applications he looked into. This is pretty interesting as it shows certain challenges of current processes (e.g. what do you do with third-party software you rely on?): Recent... Posted Jan 05 2008, 02:21 PM by TechNet Blogs Filed under: Security, Technology, Processes

• Common Criteria and answering the “real” questions

  It seems that I am not yet gone J . Eric Bidstrup, a colleague of mine, wrote a great blog post about Common Criteria, where it does a pretty good job and where it fails. Basically he claims – and I could not agree more – that the customer "only" wants... Posted Dec 28 2007, 06:08 AM by TechNet Blogs Filed under: Security, trends, Processes, Industry Associations

• Teach a Man to Fish

  I just read a pretty good article that goes definitely into the direction I am trying to work with the different communities we are in touch. Even though technology is a key part of any security solution, the user is key and explaining the user the "why... Posted Nov 26 2007, 05:37 AM by TechNet Blogs Filed under: Security, Policy, Processes