Port 25: The Open Source Community at Microsoft : Security, Dev Center

Web Sandbox Source Now Available Under Apache License 2.0

Peter Galli — Tue, 27 Jan 2009 02:48:00 GMT

Microsoft has released more source code under an OSI-approved license: this time it has made the source code for the Web Sandbox runtime available under the Apache 2.0 open source license.

The Web Sandbox project explores how to advance the web platform to improve security, isolation, quality of service and extensibility capabilities for web developers and website users.

More information on the licensing details, as well as comprehensive documentation for experimenting and integrating with the Web Sandbox, can be found here.

But, while developers are being encouraged to help define and refine the Web Sandbox, it is not recommended for those developers creating production sites as it is still under development.

The Web Sandbox was created in response to limitations found in the current web platform, and is designed to explore potential solutions. Having a more secure and robust architecture as a foundational building block will help drive the next wave of Web innovation.

The Sandbox is a framework that works on most modern browsers that support the"ECMA-262, 3^rd Edition" (JavaScript) standard, and provides the same features in all modern web browsers. No browser add-ons or changes are required to leverage this technology. Beyond security, the Web Sandbox normalizes the different browsers and provides consistent W3C DOM support.

Since the initial release of Web Sandbox at PDC 2008, the team has received a lot of useful feedback from the web security community, and has also been collaborating with a number of customers, partners and the standards communities, all of whom want to adopt the technology when it is ready.

The goal? An open and interoperable standard that will help foster interoperability with complementary technologies like script frameworks and drive widespread adoption of the Web Sandbox.

This move is good news for Microsoft and the open source communities. But, it is important to note that while an Apache license is being used, the Web Sandbox project is not an Apache Software Foundation project and is not sponsored or endorsed by the ASF.

Microsoft does, however, already have an active relationship with the ASF. In fact, last year the company announced it had become a sponsor of the ASF so as to help enable the Foundation pay administrators and other support staff so that its developers can focus on writing great software.

Sam Ramji, the senior Director of Platform Strategy at Microsoft, also delivered a keynote address at ApacheCon in New Orleans last November.

Microsoft's Interoperability Technical Strategy Team already participates as a code contributor to the Apache Stonehenge incubator project; the company has also contributed a patch to ADOdb, a popular data access layer for PHP used by many applications and which is licensed under the LGPL and BSD; while Microsoft's Powerset team contributes to HBase, an open-source, column-oriented, distributed database written in Java.

Black Hat US 2006: Networking & Heap Manager Updates with the Core Windows Team

jcannon — Wed, 02 Aug 2006 14:38:00 GMT

At this year's Black Hat Security Conference, several engineers on the Windows Networking & Security teams will be presenting <for the first time, ever> on a number of technical topics, ranging from the new improvements made to the reliability & performance of the OS Heap Manager, to the NetIO stack—a re-architected and re-written TCP/IP stack. Our discussion on this podcast has three distinguished engineers discussing their work with Sam, including:

Noel Anderson - Group Manager on the Windows Wireless Team (IP Stack for Bluetooth & Wi-Fi)
Adrian Marinescu - former member of the Windows Kernel team, LPC, Object Manager & Heap Manager. This past year, Adrian has focused his work on Vista's Heap Manager.
Aboldate Gbadegesin - Architect on Core Networking on Windows (TCP/IP & related protocols, tools & components)

We'll cover their respective areas of work & discuss the topics being presented at Black Hat for those that cannot attend.

Related Links:
- Direct Link to MP3

Do many eyes make a bug shallow?

jcannon — Fri, 30 Jun 2006 18:43:00 GMT

Sam interviews Mike Howard, Senior Security PM at Microsoft around security in the operating system and how we think about & engineer security defenses into an operating system. What are the myths around security - do many eyes make a bug shallow? How do you protect and engineer against attack types that haven't been invented yet?

Video: Do many eyes make a bug shallow?

Also worth checking out: Mike just published a book - Security Development Lifecycle - that explains what the SDL looks like, how it is applied through the engineering process at Microsoft and how others can adopt & enhance their own development processes.

Related Links:
- Learn more at the upcoming Black Hat Conference on security processes - a couple folks will from MS will be presenting.
- Check our Mike's security blog.
- Check out the new Security Development Lifecycle book (Amazon)
- TechNet Security Center

Alternative Video Format:
- Download in MPEG4