Developer Highway Code (free ebook)

To build software that meets your security objectives, you must integrate security activities into your software development lifecycle. This handbook captures and summarises the key security engineering activities that should be an integral part of your software development processes.
These security engineering activities have been developed by Microsoft patterns & practices to build on, refine and extend core lifecycle activities with a set of security-specific activities. These include identifying security objectives, applying design guidelines for security, threat modelling, security architecture and design reviews, security code reviews and security deployment reviews.

How Cybercriminals Steal Money

ratproxy

Ratproxy is a semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.
Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Microsoft Security Compliance Management toolkit

In today’s IT environment, the ability to comply with regulations and industry standards, such as the Sarbanes Oxley Act, is a source of deep concern for many organizations. In addition, organizations need to manage risks resulting from emerging threats and changing conditions within their IT infrastructures. As a result, organizations need sound methods that they can count on to understand the state of the security settings in their IT infrastructures, assess the compliance of a security baseline, and demonstrate that compliance requirements have been met.

To help organizations address these challenges, Microsoft has created the Security Compliance Management toolkit. The toolkit provides best practices from Microsoft about how to plan, deploy, and monitor a security baseline. In addition, the toolkit provides remediation recommendations to address security baseline issues. The toolkit also offers a proven method that your organization can use to effectively monitor the compliance state of recommended security baselines for Windows Vista®, Windows® XP Service Pack 2 (SP2), and Windows Server® 2003 SP2.

Microsoft Security Intelligence Report

Questa edizione del Microsoft Security Intelligence Report è focalizzata sui risultati ottenuti nella seconda metà del 2007 (da luglio a dicembre) e si fonda sui dati pubblicati nelle precedenti versioni del report. Utilizzando i dati derivati da oltre 450 milioni di utenti Windows e alcuni dei servizi online più attivi della rete, il report fornisce una prospettiva approfondita sulle tendenze nel campo delle vulnerabilità del software e nel panorama del software dannoso e indesiderato, oltre che un aggiornamento sulle tendenze degli exploit che sfruttano le vulnerabilità del software. L’ambito di questa quarta edizione del report è cresciuto per includere un focus sulla privacy e le segnalazioni di violazioni della protezione, e una panoramica sul lavoro di Microsoft in collaborazione con le forze dell’ordine in ogni parte del mondo, a supporto della lotta contro i criminali della rete.

Microsoft Security Assessment Tool 3.5

Il Microsoft Security Assessment Tool 3.5 è la versione aggiornata dell’originale Microsoft Security Risk Self-Assessment Tool (MSRSAT), rilasciato nel 2004, e del Microsoft Security Assessment Tool 2.0 rilasciato nel 2006. Le minacce alla sicurezza dei sistemi hanno subito una forte evoluzione da allora. Per questo, la versione attuale include nuove domande e risposte per offrire agli utilizzatori di MSAT uno strumento completo che favorisca la comprensione del panorama di riferimento delle minacce alla sicurezza cui l’organizzazione è esposta.

Il tool adotta un approccio olistico che permette di valutare il livello di sicurezza dell’organizzazione esaminandola dal punto di vista delle persone, dei processi e delle tecnologie. I risultati vengono poi confrontati con delle guide di riferimento e con suggerimenti per la mitigazione del rischio fornendo anche collegamenti e informazioni ad approfondimenti per singolo settore di industria.
Queste risorse possono essere di aiuto nell’identificare strumenti e metodi specifici che possano cambiare l’approccio alla sicurezza dell’ambiente IT.

All Your iFrame Are Point to Us

clipped from googleonlinesecurity.blogspot.com

It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. web pages that attempt to exploit their visitors by installing and running malware automatically. During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware. During the course of our research, we have investigated not only the prevalence of drive-by downloads but also how users are being exposed to malware and how it is being distributed. Our research paper is currently under peer review, but we are making a technical report [PDF] available now. Although our technical report contains a lot more detail, we present some high-level findings here:

Firewall?