I've always been interested in software security, and it's always been a number one priority for me. Software security is really honoring the trust of the people that use your software. I've also been fortunate to be the lead developer of a security product. I myself also tend to keep an eye on the security of other products. We ...

A while back I blogged about how .NET 2.0 threw exceptions if your environment was configured to force FIPS through the machine's security policy. Starting in .NET 2.0 SP1, there is now a way to disable this through the config file. Check out this blog to see the full ...

The team thinks it should be 5.0 since the new features were pretty huge! :)  The full release notes are here.  The new version includes role based security which allows you to slice and dice the access to various features across your organization.  We also have a new feature that allows you to automatically launch Remote Desktop ...

Sometimes, I tend to butt heads with a co-worker. Overall, we round each other off nicely (or perhaps I am butting heads there too?) Recently, we got into a discussion about security. What we were trying to accomplish was passing information securely over an (otherwise) unsecure protocol, HTTP. My immediate answer was to use a public key ...

This morning I signed up with a major credit card company website.  Much to my surprise I was greeted with this requirement while choosing a password: Your Password should contain 6 to 8 characters . at least one letter and one number (not case sensitive), contain no spaces or special characters (e.g. &, >, *, $, @) and be different ...

If you understand hashing and salting then skip the next paragraph. Stored passwords for logins should be hashed and salted.  Hashing is a one way mechanism to produce a practically unique value based on the given input.  This is useful since we can store the hash (and validate the password whenever needed) without storing the actual ...

Starting in the .NET Framework 2.0, some of the Cryptographic Classes no longer work if FIPS compliance is forced on the Server. Currently, none of the Managed hashing classes will work on a FIPS enabled server. Attempting to use those results in the exception: "InvalidOperationException: This implementation is not part of the Windows ...

You can download it here.  The release notes are here. It was an aggressive schedule to turn these features from proposals after TechEd in June to shipped by the end of July.  This was all achieved with a team of four developers (five if you count my occasional 10 lines of code on this project!), Test Driven Development, Pair ...

Shipping software is one of the most exciting times for a development team but this new release is easily the most anticipated version of Secret Server to date by our customers.  Secret Server 3.1 will feature the two most requested features from customers who visited our booth at TechEd in June 2007: full Active Directory synchronization ...

I recently had a discussion with a friend about security. His claim was, "I am always one step ahead of attacks". I was a little taken back by that, since the opposite is probably the case. Attackers are always one step ahead of us. They are the ones that usually force us to come up with cutting edge technology for security. The best we ...