Microsoft will show world+dog how to write secure code
After spending four years as an internal process for designing secure programs from the ground up, Microsoft's Secure Development Lifecycle could soon go mainstream. The company on Tuesday unveiled plans to help other organizations adopt comprehensive secure coding practices through three initiatives that will go live sometime …
This topic is closed for new posts.
Rather like Jim Jones showing world+dog how to make soft drink.
Type your comment here — plain text only, no HTML
Rather Like...
... The Myra Hindley guide to managing a nursery
Sure!
You seem to be writing insecure code..
Cancel or Allow ?
Rather like...
... the Jack the Ripper guide to pimping.
Hello
"Hello..."
?
"HELLO..
...
"Is this pot speaking?"
"...err yes"
...
"I believe we have kettle on the other line for you"
Now THIS. IS. COMEDY!
This article has got to be a troll by somebody out there!
As such, it is surely a thing of beauty!
Now we've all had a good laugh
Microsoft are, by any measure, one of the largest software development operations in the world. Their development effort, for its size, produces significantly fewer new vulnerabilities than most of their competitors (whether open or closed source).
If all developers could achieve the level of secure development currently demonstrated by Microsoft, we'd have a lot fewer web sites with gaping XSS and SQL injection vulnerabilities. It's not as though sanitization of input strings is a particularly new or difficult technique, but it's obvious that it's still not widely practised.
Secure development is not that difficult:
IF you write all your own code yourself;
AND you know what you're doing;
AND you have access to some fairly sophisticated testing tools;
AND you know how to use them.
But once you're looking at a team of 100 developers, the security of the systems produced is likely to be only as strong as that of the weakest (from a security standpoint) member of your team. Production of secure code is only possible with a strong, secure development process and very good QA. If Microsoft can assist in making this combination more common, good for them.
MS invents Do what?? loop
A new generation of Microsoft coding monkeys who think they're good coders will now think they're writing safe code as well!
While (not up to the job){
Push out new coding initiatives;
}
Do something useful for a change;//this code never reached
Could have chosen a better acronym
I bet www.libsdl.org gets a lot more hits today....
Early adopters
Was the London Stock Exchange a beta customer?
SDL Pro Network
Say, do i read that right? It should basically become a security shopping mall where companies that do not have the capacity or will to care about security on their own can go and buy their secure hat for their otherwise as-always-before application? - In the words of AC: "Hahaha". (i don't claim to write particularly secure code)
A few more
"Bush will show world+dog how to speak in public"
"Oil companies will show world+dog how to take care of the environment"
"UK.gov will show world+dog how to keep citizens private data safe"
Sorry, it's just taken me 10 mins just to type those in between hysterical bouts of laughter, my lungs hurt now and I'm going to have a lie down...
Yes but...
People will believe them, worse still, people will think that writing with Microsoft tools intrinsically makes your software secure.
Talking about dogs, I'll bet it'll run like one though.
the silver lining
is that the resulting books, manuals ans reference material combined will be able to be about as thick as karen carpenters' personal cookbook
Erm...
Would be nice if they wouldn't rip off stuff... SDL stands for Simple Direct Layer and is meant for easily coding in OpenGL and other things...
But then they wouldn't be microshaft if they didn't rip off something or other
I thought the dog was writing their code
there is not much you can say - it is staggering the chutzpah of this approach.
But of course that is MS thru and thru, they make a toy operating system for little kids.
Microsoft "produces significantly fewer new vulnerabilities than most of their competitors"?
Okay Chris, I'm not going to get drawn into the flamebait, merely point out that the vulnerabilities they DO produce, due to their all pervasive presence, affects so many more people and systems.
This little exercise is designed to look altruistic, but IMHO, is just another example of Microsoft trying to keep their grip on the web/internet.
@sure
Surely it would be:
You seem to be writing insecure code.
Would you like some assistance with that?
MS and the IBM PC put back computing by at least 25 years, what's another few.
Microsoft will show world+dog how to write secure code
I nearly sprayed half-chewed prawn sandwich over my monitor when I saw that headline!
Not sure about now but in the past their code creation abilities were far from ideal - read the book "Barbarians Led by Bill Gates" by Jennifer Edstrom and Marlin Eller for more on that.
Microsoft shows world+dog how to write patch, after patch ...
after patch, after patch, after patch, after patch ...........
@Chris Miller
I think you misunderstand how comments about MS articles work.
1) Call them M$, Microsloth, Microshaft. etc.
2) Slag off anything at all that they do, it's all evil and money grabbing
3) Slag them off a bit more
4) Suggest that they have never innovated in anything
5) Suggest that any problem with any system which runs MS software is the fault of the company
6) Linux rulez etc. etc.
It's like..........
Getting fling lessons from a penguin :)
But at least code is more secure when written by a penguin ;)
@Fraser
Yes, everything and anything that company does is evil and all about money grabbing.
And please name one useful good thing that company innovated?
In defence of Microsoft...
(I'm home early today and looking for a challenge.)
Microsoft's implementations are a lot less flawed (think buffer overflows or weak ACLs resulting in obscure back-doors) than they used to be. That's down to their use of tools. Where their SDL hasn't delivered the goods is in the never-ending battle between the security experts and the idiots insisting on "ease of use" and "wow factor". (The idiots clearly won with Vista's UAC, for example.) If MS are making their tools more widely available, that's probably a good thing and if it isn't then you don't have to use them.
St Bill icon, because it doesn't get used much.
@D.M
They were pretty much the only software company to take Apple seriously when they first started.
They partnered with IBM for OS/2
They pretty much single handedly broke the mainframe/big iron stranglehold on the datacentre
Development of office tools (yes there were others, I know)
They have pumped billions into UI development
@Fraser
... They were pretty much the only software company to take Apple seriously when they first started.
And your point is?
... They partnered with IBM for OS/2
Then renagaded on the partnership, launched office and windows leaving OS/2 (a very good OS IMHO) dead in the water
... They pretty much single handedly broke the mainframe/big iron stranglehold on the datacentre
We were talking inovation not shoddy business practices
... Development of office tools (yes there were others, I know)
Huh? Are you serious????
... They have pumped billions into UI development
And the result is Vista! Wheeeeeee, I'll have 2!
I cant stop laughing
Microsoft... secure code... naww you're having us on
Anyway... bet it falls victim to a 'buffer overflow' attack within 12 hours of it being released
Boris
<<happy because hes back on the 'net after an 18 hour disconnection <shudder>
So MS will teach code shifting then...
First off I can't believe that MS is using the acronym SDL (Simple DirectMedia Layer) which is a long time used Open Source acronym... maybe someone should sue them for confusing customers like they did with Lindows AKA Linspire.
Can someone please explain why MS supposedly fixes a vulnerability in say Windows 98 then when Windows XP rolls around it is vulnerable.... it is called copy past. Now being that I have been a security analyst for 4 years now and have done more VA's then you can shake a stick at I have to say that MS's way of dealing with a vulnerability is to shift memory space, therefore a vulnbot can't work without finding the memory space of the vulnerable code has moved to. Does anyone ever wonder why worms have a worm.a,b,c,d,e... that is because the actual vulnerability is not fixed what so ever it is just moved around so that existing worms don't work. A simple re-check of memory shows worm writers where it's moved to so then just need to make a simple tweak here and there to their worm and poof !!! it now works with the new "non-vulnerable code".
This is just code shifting not secure programing. Lies, all lies, stupid cat and mouse games. And BTW the hackers are always ahead of MS hence the reason why we have Patch Tuesdays and Black Wednesdays.... Hackers get the beta patch code find the vulnerability before MS releases the "Fix" and the moment they release the "Fix" they release their revision xyz of their currently existing worm/vulnerability/virus/malware.
I think it's a good idea!
I am just as sick and tired as anyone who, using a Windows computer has to apply security fix after security fix. I’ve been doing this for so long, I’ve been conditioned to expect at least five updates to download every patch Tuesday.
But, and this is a big but, how many third party bits of software installed on Windows is actually secure? How many of them use the Internet to check for updates on the users behalf or in some way communicate with the Internet?
Every single one of them, unless well written is an attack vector. Chris Miller has pointed out that the recent SQL injection attacks could have been avoided if programmers had just validated the input strings before executing that insert query.
Sure Microsoft is not the first name that springs to mind when you think about tools to help programmers write more secure code. But it’s clear that a lot of programmers tend to avoid it in Windows environments because it’s never been enforced enough.
I think that the problem is that this mentality has been allowed to go on way too long amongst Windows programmers. Microsoft should make these tools free if they want to encourage developers to use them, otherwise they risk them being ignored.
Out of genuine interest, what do Linux programmers do? If you’re in an Open Source project, and have created some code. What factors come into play when security is involved? Does a certain programming methodology get used? Is code peer reviewed? What does the O/S stop you from doing? How about the compiler or code tools like lint? I’m not trying to bait or anything, I’d really like to know since having a lower user base than Windows cannot account for less security problems on its own.
If a programmer has access to tools to help securing their program, I welcome it, even if it is from a company that’s not renowned for secure code.
Thanks in advance for taking the time to respond to my Linux question.
Security, Oh Yeah!
I think all programmers should be forced to spend at least 6 months programming 6502 code, in assembler, with only a cassette tape for storage.
It doesn't take long to learn the importance input validation, buffer/stack length checks, memory management etc.
Actually, it's true
"Microsoft will show world+dog how to write secure code "
They just demonstrate by bad example, that's all!
I wonder..
If you are driving down the street in your motorboat, and your wings fall off, how many secure lines of code does it take to fill a dog-house?
Rats, wish we had a dog icon.....
@Steve B
"MS and the IBM PC put back computing by at least 25 years, what's another few."
No, that's completely wrong. Blame Intel and Sun and IBM and MIPS if you like, but not MS. We used to have hardware that helped makewriting secure code easy (think of the Burroughs stuff, the ICL stuff, coming out in the early 70s, the research at Manchester and at Oxford and at Cambridge. Then we got RISC and Z80 and 8085 and all the rest of the stuff produced by companies who decided that having any protection in hardware made the hardware more expensive and gave you less bang per buck, and it became much more difficult to write secure code. The guys who sold you more bang for your buck were very careful not to tell the poor naive customers that they would get a lot less security for their buck. Blame Bell Labs (Dennis Ritchie and Bjarne Stroustrup) if you like: we once had high level languages that helped us write secure code, and language gurus who promoted secure techniques. Then these guys popularised very low level languages (C, C with Classes, C++) and a programming approach that glorified unsafe pointer arithmetic. These languages had no imaginable way for a compiler to rack references (so no useful type safety). The later versions perverted the concepts of abstract data types and object orientation that we had used for years. The almost universal uptake of first C and later C++ ensured that it was almost impossible to write secure code for any large scale development. These heroes (the founders of the most popular modern development techniques) told us C (and later C++) would reduce development costs (which was actually far from true compared with using a decent lisp variant, or Algol 68, or Coral, or almost anything but an assembly language) - and didn't bother to tell us that they would increase support costs enormously.
Yes, Windows is horrible, and MSDOS was pretty horrible too. But nothing Microsoft did was as damaging to secure computing as what those others did.
This topic is closed for new posts.
