Other Resources
Security Developer Center
Cryptography Topics on MSDN

Follow us on Twitter

MSDN Forums

Microsoft technical communities provide opportunities to interact with Microsoft employees, experts, and your peers in order to share knowledge and news about Microsoft products and related technologies. Ask questions and get answers in Microsoft's technical forums, devoted to many of Microsoft's IT professional- and developer-focused products and technologies.

Security for Windows Azure
SQL Server Security
Application Security for Windows Desktop
Microsoft Security Development Lifecycle (SDL) Forum


The blogs listed below are written by Microsoft employees who have insight into the Microsoft security APIs and technologies. They are a good resource for information on subjects that are not covered in the API documentation.

The Security Development Lifecycle Blog

MSDN Magazine Articles

May 2009
A Conversation About Threat Modeling
Listen in on a chat between a developer and security pro that delves into some of the major Security Development Lifecycle (SDL) requirements we impose on product teams here at Microsoft
November 2008
Threat Models Improve Your Security Process
This column proposes a way to think about secure design from a more holistic perspective by using threat models to drive your security engineering process, primarily helping you prioritize code review, fuzz testing, and attack surface analysis tasks.
May 2008
Penetration Testing
In this installment of Security Briefs, James Whittaker explains how the rules and the pitfalls of penetration testing so you'll know how to avoid them.
July 2007
Applying Cryptography Using The CNG API In Windows Vista
Cryptography Next Generation (CNG) is meant to be a long-term replacement for the CryptoAPI, providing replacements for all of the cryptographic primitives it offered.
November 2005
A Look Inside the Security Development LifeCycle at Microsoft
Michael Howard outlines how to apply the SDL to your own software development processes.
November 2004
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users
In this article, Microsoft security expert Michael Howard discusses the cardinal rules of attack surface reduction. His rules - reduce the amount of code executing by default, reduce the volume of code that is accessible to untrusted users by default, and limit the damage if the code is exploited - are explained along with the techniques to apply the rules to your code.
November 2003
Protect It: Safeguard Database Connection Strings and Other Sensitive Settings in Your Code
Protecting application secrets, such as database connection strings and passwords, requires careful consideration of a number of pertinent factors such as how sensitive the data is, who could gain access to it, how to balance security, performance, and maintainability, and so forth. This article explains the fundamentals of data protection and compares a variety of techniques that can be used to protect application settings. The author discusses what to avoid, such as hiding keys in source code and the use of Local Security Authority. In addition, he presents some effective solutions such as the Data Protection API.
Review It: Expert Tips for Finding Security Defects in Your Code
Reviewing code for security defects is a key ingredient in the software creation process, ranking alongside planning, design, and testing. Here the author reflects over his years of code security reviews to identify patterns and best practices that all developers can follow when tracking down potential security loopholes. The process begins by examining the environment the code runs in, considering the roles of the users who will run it, and studying the history of any security issues the code may have had. After gaining an understanding of these background issues, specific vulnerabilities can be hunted down, including SQL injection attacks, cross-site scripting, and buffer overruns. In addition, certain red flags, such as variable names like "password", "secret," and other obvious but common security blunders, can be searched for and remedied.
August 2003
Security Briefs: Hashing Passwords, The AllowPartiallyTrustedCallers Attribute
Keith Brown describes how yo can hash passwords when you want to store them in your own custom database, and when to use the AllowPartiallyTrustedCallers attribute on your assembly.
May 2003
Virus Hunting: Understand Common Virus Attacks Before They Strike to Better Protect Your Apps
Developer's machines can often be more vulnerable to viruses than the average corporate user because of their more frequent access to remote machines and shares, and the differing administrative privileges they maintain across multiple machines. Reliance on antivirus software is fine as a first line of defense, but you need a basic arsenal of skills for securing the executables on your system and coping with viruses on your own. This article reviews proactive methods you can use to defend yourself against malicious executable code in resources, component libraries, scripts and macros, as well as how to avoid a handful of other potential vulnerabilities.
April 2003
Security Briefs: Exploring S4U Kerberos Extensions in Windows Server 2003
Building Web sites that provide services external to the corporate firewall is tricky. Usually it's not desirable to grant corporate domain accounts to external clients, and from a purely practical standpoint Kerberos does not work well over the Internet due to the typical configuration of client-side firewalls.
March 2003
Talking To... Michael Howard Discusses the Secure Windows Initiative
The growth of interconnected computers in recent years has pushed security concerns to the forefront of development and application design. The Microsoft effort, dubbed the Secure Windows Initiative (SWI), focuses on securing new and legacy code.
April 2001
Secure Sockets Layer: Protect Your E-Commerce Web Site with SSL and Digital Certificates
Security is one of the most important factors in the future growth of e-businesses. Making sure that communications remain secure between customers and the Web server is a critical issue. Secure Sockets Layer (SSL) is the standard that secure Web sites are built upon today. This article presents an overview of SSL-based Web security, explaining such fundamental concepts as digital certificates and their distribution, encryption, and the proper configuration of Microsoft Internet Information Services (IIS). Acquiring a certificate, installing it, and configuring IIS for SSL are outlined in a step-by-step process.
The Security Support Provider Interface Revisited
Session keys can be used to encrypt messages or to simply affix a message authentication code (MAC) to allow tamper detection and authentication of cleartext messages. This article show the SSPI APIs you need to call, how to use the SSPI workbench utility to send encrypted or signed messages, and how SSPI can be used to validate passwords. It describes a few experiments that you can try with the workbench that will help you explore how Kerberos, NTLM, and SPNEGO are implemented in Windows.
August 2000
Explore the Security Support Provider Interface Using the SSPI Workbench Utility
This article describes the Security Support Provider Interface (SSPI) and a SSPI Workbench utility, to help you learn about SSPI and explore the various authentication protocols that Microsoft Windows 2000 supports.
May 2000
Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utillity
This article describes how Windows 2000 implements delegation of credentials using Kerberos.
March 2000
Exploring Handle Security in Windows
This article describes how security works with handles in the face of interprocess communication, impersonation, handle inheritance, and the powerful DuplicateHandle API.
Encrypt It: Keep Your Data Secure with the New Advanced Encryption Standard
The Advanced Encryption Standard (AES) is a National Institute of Standards and Technology specification for the encryption of electronic data. This article presents an overview of AES and explains the algorithms it uses.


Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press, December 2002)
Writing Secure Code for Windows Vista by Michael Howard and David LeBlanc (Microsoft Press, April 2007)

Web pages

Technical Articles

See Also


Other Languages

This article is also available in the following languages:

Italian (it-IT)

Deutsch (de-DE)

Brazilian Portuguese (pt-BR)