In the more than nine years since Bill Gates’s Trustworthy Computing email kicked off Microsoft’s comprehensive, company-wide security initiative, the company has not only committed a tremendous amount of money and resources to the project but also has been quite open and public about the process. This week, Microsoft released its first major report on the progress and changes in the Security Development Lifecycle program, detailing not only its progress but also the things that still need to be improved.

Microsoft Corp. pours more money into software security than any other
major vendor both because it has to and because it can. Yet for all the
investments in security, the number of vulnerabilities discovered in
the company’s products has increased over the years, prompting
questions over whether the company has reached the limits of its
ability to debug software. 

From Microsoft’s SDL blog (Chris Weber)
I’m writing to tell you about our new Watcher tool for web-app security auditing and testing.  Watcher is a plug-in for Eric Lawrence’s Fiddler proxy aimed at helping developers and testers find security issues in their web-apps fast and effortlessly.  Because it works passively at runtime, you have to drive it by opening a browser and cruising through your web-app as an end user.  For the developer, the tool can provide a quick sanity check, so you can find problems and hot-spots that warrant further attention.  In the hands of a pen-tester it can assist in finding issues that lead to other attacks like XSS and CSRF. Read the full story []

By Jeremiah Grossman, White Hat Security
Someone begins watching a basketball game and asks who is winning. You might helpfully answer, “Lakers up 76 to 64.” Imagine if instead you said, “The Lakers are 60% from the field, have 12 rebounds, are 8 of 10 from the line, and the average height of the starting lineup is 6’7.” Sure, these are important statistics, but they certainly do not answer the question. (Inspired by Richard Bejtlich) The person listening would probably think you were trying to be funny, a jerk, or perhaps both.
Yet, this is how the Web security industry responds when businesses ask about the security of their websites. “We identified 21 security defects including eight Cross-Site Scripting and four SQL Injection, we are improving our SDL processes, and most of our programmers have been through security training.” Again, important metrics, but still not answering the most important question — how well defended is a website from getting hacked.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.