Vuln Hunt: Find the Security Vulnerability Challenge

vuln hunt image

There’s a saying that many people have heard, “If it was snake, it would have bitten you.” More often than not, that’s the case with software vulnerabilities. A security class bug can often be so subtle in a program that human reviews, static code analysis and other sophisticated tools might not find it. Yet at the same time, finding that vulnerability can be critical, especially if it is exploitable. During … Read more »

SAFECode on Confidence: One Size Does Not Fit All

In a recent post by SAFECode, a non-profit organization of software vendors dedicated to increasing trust in information and communications technology products by improving security and assurance methods, Eric Baize of EMC and Steve Lipner of Microsoft discuss the challenging subject of trustworthiness of acquired software.  How a customer gains confidence in acquired software is a frequently asked question of developers.  The latest SAFECode blog discusses three approaches that a … Read more »

Introducing Microsoft Threat Modeling Tool 2014


Today, we are excited to announce the general availability of a new version of a very popular Security Development Lifecycle tool – Microsoft Threat Modeling Tool 2014. It’s available as a free download from Microsoft Download Center here. Threat modeling is an invaluable part of the Security Development Lifecycle (SDL) process. We have discussed in the past how applying a structured approach to threat scenarios during the design phase of development helps teams more … Read more »

SDL Process Templates for Visual Studio Team Foundation Server 2013


Today, we are excited to announce the general availability of a new version SDL process templates: Microsoft Solutions Framework (MSF) for Agile 2013 plus Security Development Lifecycle (SDL)  Microsoft Solutions Framework (MSF) for Capability Maturity Model Integration (CMMI) 2013 plus Security Development Lifecycle (SDL)   This version of the SDL Process Templates is specific to the Microsoft Security Development Lifecycle version 5.2.  The SDL Process Templates automatically integrate policy, process and tools associated … Read more »

Life in the digital crosshairs: the untold story


To mark the 10 year anniversary since the creation of the Security Development Lifecycle, we wanted to tell the behind-the-scenes story of how the SDL came to be.  Back in 2004, Microsoft decided that if we were going to succeed at building trust with our customers, security could not be an afterthought when developing our products and services. So how do you get a large organization like Microsoft to prioritize security … Read more »

Secure Development Is Much Easier Than You Think

Secure software development is something we believe is absolutely critical to helping create safer more trusted computing experiences for everyone.  So much so that we invest in providing free tools, resources and guidance to help assist organizations in adopting an SDL process and are actively involved in helping to evangelize these resources to the security community. However while these resources have existed since 2008, our Trust in Computing study showed … Read more »

!Exploitable crash analyzer version 1.6

On Wednesday May 1st, !Exploitable crash analyzer version 1.6 became available.  Source code and binaries can be found at For those who may be unfamiliar with the tool, !Exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. Its primary use is in evaluating crashes found by fuzzing. The first new feature involves changes to the stack hashing portion of … Read more »

Microsoft SDL Conforms to ISO/IEC 27034-1:2011

Steve Lipner here. This morning Scott Charney announced in his keynote at the Security Development Conference that the Microsoft Security Development Lifecycle (SDL) meets or exceeds the guidance published in ISO/IEC 27034-1. The full text from this announcement was as follows: Microsoft has used a risk based approach to guide software security investments through a program of continuous improvement and processes since the Security Development Lifecycle (SDL) became a company-wide … Read more »