Security Digest #10

All the summer's software security trivia and miscellanea are here!

Symantec Acquires PGP

This isn't a business blog. and this isn't exactly up-to-the-minute news - the agreement having been announced at the end of April, together with the simultaneous integration of GuardianEdge - but I do think that the news of Norton punters Symantec's acquisition of PGP Corporation merits a mention.

It is of particular interest to those in the security business who remember the very first days of Pretty Good Privacy (PGP), its inception in 1991 at the fingertips of Phil Zimmermann. The first widely available public key cryptography software, it led to a criminal investigation of Phil by the US Customs Service; at that time, strong cryptography was treated as munitions by the arms trafficking export controls in force. He formed PGP Inc when the government finally dropped this case in 1996. To this one man, we all owe a debt of gratitude for our easy access to decent cryptography today.

There have been acquisitions of PGP before; by Network Associates in '97, then by PGP Corp in 2002. Now the bigger fish gets swallowed by an even bigger, aggressively acquisitive one.

Windows Live™ and the SDL

Microsoft's web application development organisations use the SDL just as much as the next guy, and the Windows Live™ team are out to prove that, in the run-up to their Wave 4 release, with the latest addition to the SDL web portal's published internal SDL case studies:

Applying the Security Development Lifecycle at Windows Live™ (488KB docx)

The partition of mitigations is interesting. Windows Live™ comprises two distinct types of app development. Namely: desktop clients such as Messenger, traditionally vulnerable to overflows of integer arithmetic and buffer sizes; and hosted web apps like Hotmail, which by contrast see plenty of cross-site scripting and request forgeries, open redirects and JSON hijacks.

This paper details the lessons learned by the team, as they adopted and integrated, even as they discovered and developed, the latest SDL requirements.


Security And The Cloud

Subject says it all, and that subject is SDL's own Michael Howard. Who also says,

We wrote this paper because no matter how many defenses we add to Windows Azure, it is important that people building software or hosting services in “The Cloud” understand that they must also build software with security in mind from the start.

The relevant paper is here (209KB docx).

Well I'm off to ice another round of Blue Lagoons, see you next time.