

Thirty Years of Application Security with Michael Howard
16 snips Aug 13, 2025
Michael Howard, Senior Director at Microsoft Red Team with over 33 years in security, dives into the evolution of application security. He explores the role of Red Teams in identifying vulnerabilities by simulating black hat attacks. The discussion spans improved security tools, the significance of integrating security into agile development, and the need for user-friendly solutions. They also touch on the challenges of memory-safe programming, historical security failures, and the critical impact of human behavior on cybersecurity.
AI Snips
Chapters
Books
Transcript
Episode notes
Red Team Operates Like Real Attackers
- Michael Howard describes the Microsoft Red Team as a group treated like real attackers with one objective: achieve the goal by any means.
- He explains the team reports findings and converts them into internal guidance to improve security.
Always Validate Inputs And Avoid Concatenation
- Avoid building SQL by string concatenation and use parameterized queries to prevent injection.
- Treat a system as secure only if it does what it's supposed to do and nothing else.
New Code Should Favor Memory Safety
- Microsoft mandates new code should use memory-safe languages unless justified otherwise.
- Michael prefers C# for new code and Rust when GC unpredictability is unacceptable.