Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Browse by Tags

Related Posts
  • Blog Post: Conficker and Microsoft Anti-Malware Software

    I want to add a few things as it is still not over: More and more enterprises are still hit. My last blog post showed you what you can do but I wanted to add two resources and a comment. The comment first: There were some discussions about our Anti-Malware solution. We had protections in all our products...
  • Blog Post: Oracle DBAs rarely install Patches

    Wow, this is scary: A company called Sentrigo just published a study about how DBAs patch Oracle databases . Even though you could challenge their findings (they asked only 305 people) and therefore only shows half the truth, it is really scary (I quote): When asked: "Have you installed the latest...
  • Blog Post: SDL and End to End Trust

    Last week we published – as you hopefully know – our "End to End Trust" whitepaper. If not, please read my blog post on it J Now, Eric Bidstrup just commented on End to End Trust in the light of the Security Development Lifecycle (or better: the other way around). It might be interesting for you to...
  • Blog Post: Cloud computing providers: Clueless about security?

    To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs. Recent incidents made me doubt: Amazon not only having significant downtime but in the same time losing customer data. Sony’s game network being significantly compromised. This is definitely not...
  • Blog Post: Security Advisory on the recent Internet Explorer Vulnerability

    I guess you might have seen it by now but if not, please make sure you read and understand the material available: This night we released a Security Advisory on a Vulnerability in Internet Explorer Could Allow Remote Code Execution . The reason for that is that our investigations have shown that this...
  • Blog Post: Look at the Enhanced Mitigation Evaluation Toolkit

    Recently we announced the availability of the Enhanced Mitigation Evaluation Toolkit. This is a toolkit which makes it easier to defend your application on different levels – free of charge. Read the post done by our Security Research and Defense guys: Announcing the release of the Enhanced Mitigation...
  • Blog Post: The Value of Operating System Comparisons

    Since Blaster/Slammer, namely since the start of Trustworthy Computing I am working at Microsoft in a publically facing security role. I went through all the blaming and had to take all the heat of what we did wrong and how bad we are – and I admitted there and still do today that security was not a...
  • Blog Post: Identity in the Cloud

    Kim Cameron, one of our key identity architects had an interesting presentation on identity in the cloud and a corresponding interview. Both are worth looking at if you are planning to move into the direction of the cloud. Especially as it is definitely one of the key challenges: This is Kim's presentation...
  • Blog Post: Want to introduce the Security Development Lifecycle? Play a Game

    I was recently pinged by a customer asking for the “real” version of this game. It was distributed at RSA in the US and I do not have any anymore – but you can still print it yourself. So, if you want to introduce SDL or if you introduced it already and want to re-enforce the message, look at that Elevation...
  • Blog Post: We Need Solid and Strong Transparent Processes for the Cloud

    This morning I was reading an article called Google seeks to assure customers on cloud security practices on ComputerWeekly. I had to read this – obviously . It references a paper written by the Google Security Officer called Security Whitepaper: Google Apps Messaging and Collaboration Products...
  • Blog Post: Spying on Smartphones

    I was recently at an event for Law Enforcement where one of the discussion points was how critical it is to protect Smartphones – actually it was more about how easy to would be to claim that my Smartphone was hacked and how proof can be found. That you should run Anti-Malware software on phones, is...
  • Blog Post: Selling Vulnerabilities and Ethics

    Shoaib just blogged on Hacking & Security Community - Ethical or Unethical? . To start with: I do not claim that I know all about ethics and that there is only one view on ethics but I have a clear view on certain things. I blogged on this theme several times already and made my points pretty clear...
  • Blog Post: Ten Immutable Laws Of Security (Version 2.0)

    You might have known the 10 Immutable Laws Of Security since quite a while. It is kind of the “collected non-technical wisdom” of what we see in security respeonse being it in Microsoft Security Response Center or in our Security Product Support. There is now a version 2, which is still as important...
  • Blog Post: The Impact of the Downturn (part 2)

    Just a brief one: I wrote an article for Infosecurity which was just published in the latest version covering the economic downturn as well. It is called Time to Step Up and can be found on page 45 of the latest edition . Roger
  • Blog Post: Support for Law Enforcement and COFEE

    Over the last few weeks there has been a lot of chatter about a tool we provide in a Beta version to Law Enforcement called COFEE: Computer Online Forensic Evidence Extractor. Let me give you some information on COFEE and put it into the proper context. I am personally convinced that every company...
  • Blog Post: Secure Development: More than „just“ code!

    I just read an interesting post by Michael Howard ( Security is bigger than finding and fixing bugs ). He refers to a statement Google seem to have made on its development practices ( Google shares its security secrets ): In order to keep its products safe, Google has adopted a philosophy of 'security...
  • Blog Post: This is about processes: Google Chrome Vulnerable to Carpet Bombing

    This is the kind of stuff I hate to see – definitely within Microsoft but to a similar extent within competitors. I think we have a joint mission: Make the Internet a safer (and more trustworthy) place. There was quite some noise yesterday around Google Chrome. And a lot of noise about "safer browsing...
  • Blog Post: Behind the Curtain of Second Tuesdays: Challenges in Software Security Response

    You might know about Bluehat, which is an internal security conference we run several times an year. Some of the presentations we record and make them publically available. There is a really good one on the Microsoft Security Response Center. Dustin (the presenter) blogged on it Behind the Curtain of...
  • Blog Post: The Debate on Security Metrics

    Recently I was sitting on a panel which was pretty heterogeneous: There was a representative from IBM (actually from former ISS), customers, a representative from the Open Source community (who actually, during his presentation always said how bad our security is) – well, and me. In order to have some...
  • Blog Post: Stealing the Empire State Building in 90 Minutes

    You do not trust e-Business? Why do you trust “normal” business then? Read this: Newspaper 'Steals' Empire State Building in Just 90 Minutes Roger
  • Blog Post: What can you do if you are a victim of e-crime?

    I think that there is a very good example of how a platform could be offered for victims of cyber crime. There are often questions around: What are my rights? What can I do if something bad happens? Who is here to help?... www.e-victims-org offers answers to a lot of questions like those and offers...
  • Blog Post: Common Criteria and answering the “real” questions

    It seems that I am not yet gone J . Eric Bidstrup, a colleague of mine, wrote a great blog post about Common Criteria, where it does a pretty good job and where it fails. Basically he claims – and I could not agree more – that the customer "only" wants to know whether the operating system "is safe"....
  • Blog Post: New Information on SQL Injection Attacks

    I just wanted to make sure that you have seen the Advisory ( Rise in SQL Injection Attacks Exploiting Unverified User Data Input ) where we added some additional information. This is especially important as we did not "only" publish guidance but tools as well: Detection – HP Scrawlr (a free scanner...
  • Blog Post: Security Risks in the Supply Chain?

    At the moment I am travelling through the Gulf in order to launch the Security Intelligence Report v5 with local data. During one of the discussions today, a question was raised which I was thinking about quite some while (but – honestly - do not have an answer yet): How do you manage the risks in your...
  • Blog Post: Microsoft Security Intelligence Report – What it means for EMEA

    “Unfortunately” I have been on vacation when we released the Security Intelligence Report last week. Nevertheless I would like to take the opportunity and look at it more from a EMEA perspective. One of the interesting data points we always publish is the Malware Infection Rate. Remember, there is a...