back to article Microsoft will show world+dog how to write secure code

After spending four years as an internal process for designing secure programs from the ground up, Microsoft's Secure Development Lifecycle could soon go mainstream. The company on Tuesday unveiled plans to help other organizations adopt comprehensive secure coding practices through three initiatives that will go live sometime …

COMMENTS

This topic is closed for new posts.
  1. Brett

    Rather like Jim Jones showing world+dog how to make soft drink.

    Type your comment here — plain text only, no HTML

  2. Anonymous Coward
    Anonymous Coward

    Rather Like...

    ... The Myra Hindley guide to managing a nursery

  3. Anonymous Coward
    Gates Halo

    Sure!

    You seem to be writing insecure code..

    Cancel or Allow ?

  4. yeah, right.
    Gates Horns

    Rather like...

    ... the Jack the Ripper guide to pimping.

  5. Anonymous Coward
    Linux

    Hahaha.

    Sorry, that's all I could muster.

  6. Neil Stansbury

    Hello

    "Hello..."

    ?

    "HELLO..

    ...

    "Is this pot speaking?"

    "...err yes"

    ...

    "I believe we have kettle on the other line for you"

  7. T J
    Joke

    Now THIS. IS. COMEDY!

    This article has got to be a troll by somebody out there!

    As such, it is surely a thing of beauty!

  8. Chris Miller

    Now we've all had a good laugh

    Microsoft are, by any measure, one of the largest software development operations in the world. Their development effort, for its size, produces significantly fewer new vulnerabilities than most of their competitors (whether open or closed source).

    If all developers could achieve the level of secure development currently demonstrated by Microsoft, we'd have a lot fewer web sites with gaping XSS and SQL injection vulnerabilities. It's not as though sanitization of input strings is a particularly new or difficult technique, but it's obvious that it's still not widely practised.

    Secure development is not that difficult:

    IF you write all your own code yourself;

    AND you know what you're doing;

    AND you have access to some fairly sophisticated testing tools;

    AND you know how to use them.

    But once you're looking at a team of 100 developers, the security of the systems produced is likely to be only as strong as that of the weakest (from a security standpoint) member of your team. Production of secure code is only possible with a strong, secure development process and very good QA. If Microsoft can assist in making this combination more common, good for them.

  9. Tom

    MS invents Do what?? loop

    A new generation of Microsoft coding monkeys who think they're good coders will now think they're writing safe code as well!

    While (not up to the job){

    Push out new coding initiatives;

    }

    Do something useful for a change;//this code never reached

  10. Anonymous Coward
    Paris Hilton

    Window Snyder?

    What a fantastic name!

  11. Lee Dowling Silver badge

    Could have chosen a better acronym

    I bet www.libsdl.org gets a lot more hits today....

  12. Anonymous Coward
    IT Angle

    Early adopters

    Was the London Stock Exchange a beta customer?

  13. F Seiler

    SDL Pro Network

    Say, do i read that right? It should basically become a security shopping mall where companies that do not have the capacity or will to care about security on their own can go and buy their secure hat for their otherwise as-always-before application? - In the words of AC: "Hahaha". (i don't claim to write particularly secure code)

  14. Dr. Mouse

    A few more

    "Bush will show world+dog how to speak in public"

    "Oil companies will show world+dog how to take care of the environment"

    "UK.gov will show world+dog how to keep citizens private data safe"

    Sorry, it's just taken me 10 mins just to type those in between hysterical bouts of laughter, my lungs hurt now and I'm going to have a lie down...

  15. John Chadwick

    Yes but...

    People will believe them, worse still, people will think that writing with Microsoft tools intrinsically makes your software secure.

    Talking about dogs, I'll bet it'll run like one though.

  16. Fozzy
    Gates Horns

    the silver lining

    is that the resulting books, manuals ans reference material combined will be able to be about as thick as karen carpenters' personal cookbook

  17. Andraž Levstik

    Erm...

    Would be nice if they wouldn't rip off stuff... SDL stands for Simple Direct Layer and is meant for easily coding in OpenGL and other things...

    But then they wouldn't be microshaft if they didn't rip off something or other

  18. Anonymous Coward
    Anonymous Coward

    I thought the dog was writing their code

    there is not much you can say - it is staggering the chutzpah of this approach.

    But of course that is MS thru and thru, they make a toy operating system for little kids.

  19. dervheid
    Gates Horns

    Microsoft "produces significantly fewer new vulnerabilities than most of their competitors"?

    Okay Chris, I'm not going to get drawn into the flamebait, merely point out that the vulnerabilities they DO produce, due to their all pervasive presence, affects so many more people and systems.

    This little exercise is designed to look altruistic, but IMHO, is just another example of Microsoft trying to keep their grip on the web/internet.

  20. Steve B

    @sure

    Surely it would be:

    You seem to be writing insecure code.

    Would you like some assistance with that?

    MS and the IBM PC put back computing by at least 25 years, what's another few.

  21. David Viner Silver badge
    Happy

    Microsoft will show world+dog how to write secure code

    I nearly sprayed half-chewed prawn sandwich over my monitor when I saw that headline!

    Not sure about now but in the past their code creation abilities were far from ideal - read the book "Barbarians Led by Bill Gates" by Jennifer Edstrom and Marlin Eller for more on that.

  22. Simon B
    Alert

    Microsoft shows world+dog how to write patch, after patch ...

    after patch, after patch, after patch, after patch ...........

  23. Anonymous Coward
    Anonymous Coward

    @Chris Miller

    I think you misunderstand how comments about MS articles work.

    1) Call them M$, Microsloth, Microshaft. etc.

    2) Slag off anything at all that they do, it's all evil and money grabbing

    3) Slag them off a bit more

    4) Suggest that they have never innovated in anything

    5) Suggest that any problem with any system which runs MS software is the fault of the company

    6) Linux rulez etc. etc.

  24. Anonymous Coward
    Linux

    It's like..........

    Getting fling lessons from a penguin :)

    But at least code is more secure when written by a penguin ;)

  25. D. M
    Linux

    @Fraser

    Yes, everything and anything that company does is evil and all about money grabbing.

    And please name one useful good thing that company innovated?

  26. Ken Hagan Gold badge
    Gates Halo

    In defence of Microsoft...

    (I'm home early today and looking for a challenge.)

    Microsoft's implementations are a lot less flawed (think buffer overflows or weak ACLs resulting in obscure back-doors) than they used to be. That's down to their use of tools. Where their SDL hasn't delivered the goods is in the never-ending battle between the security experts and the idiots insisting on "ease of use" and "wow factor". (The idiots clearly won with Vista's UAC, for example.) If MS are making their tools more widely available, that's probably a good thing and if it isn't then you don't have to use them.

    St Bill icon, because it doesn't get used much.

  27. Anonymous Coward
    Anonymous Coward

    @D.M

    They were pretty much the only software company to take Apple seriously when they first started.

    They partnered with IBM for OS/2

    They pretty much single handedly broke the mainframe/big iron stranglehold on the datacentre

    Development of office tools (yes there were others, I know)

    They have pumped billions into UI development

  28. Anonymous Coward
    Anonymous Coward

    @Fraser

    ... They were pretty much the only software company to take Apple seriously when they first started.

    And your point is?

    ... They partnered with IBM for OS/2

    Then renagaded on the partnership, launched office and windows leaving OS/2 (a very good OS IMHO) dead in the water

    ... They pretty much single handedly broke the mainframe/big iron stranglehold on the datacentre

    We were talking inovation not shoddy business practices

    ... Development of office tools (yes there were others, I know)

    Huh? Are you serious????

    ... They have pumped billions into UI development

    And the result is Vista! Wheeeeeee, I'll have 2!

  29. Boris the Cockroach Silver badge
    Happy

    I cant stop laughing

    Microsoft... secure code... naww you're having us on

    Anyway... bet it falls victim to a 'buffer overflow' attack within 12 hours of it being released

    Boris

    <<happy because hes back on the 'net after an 18 hour disconnection <shudder>

  30. Anonymous Coward
    Jobs Horns

    So MS will teach code shifting then...

    First off I can't believe that MS is using the acronym SDL (Simple DirectMedia Layer) which is a long time used Open Source acronym... maybe someone should sue them for confusing customers like they did with Lindows AKA Linspire.

    Can someone please explain why MS supposedly fixes a vulnerability in say Windows 98 then when Windows XP rolls around it is vulnerable.... it is called copy past. Now being that I have been a security analyst for 4 years now and have done more VA's then you can shake a stick at I have to say that MS's way of dealing with a vulnerability is to shift memory space, therefore a vulnbot can't work without finding the memory space of the vulnerable code has moved to. Does anyone ever wonder why worms have a worm.a,b,c,d,e... that is because the actual vulnerability is not fixed what so ever it is just moved around so that existing worms don't work. A simple re-check of memory shows worm writers where it's moved to so then just need to make a simple tweak here and there to their worm and poof !!! it now works with the new "non-vulnerable code".

    This is just code shifting not secure programing. Lies, all lies, stupid cat and mouse games. And BTW the hackers are always ahead of MS hence the reason why we have Patch Tuesdays and Black Wednesdays.... Hackers get the beta patch code find the vulnerability before MS releases the "Fix" and the moment they release the "Fix" they release their revision xyz of their currently existing worm/vulnerability/virus/malware.

  31. Anonymous Coward
    Thumb Up

    I think it's a good idea!

    I am just as sick and tired as anyone who, using a Windows computer has to apply security fix after security fix. I’ve been doing this for so long, I’ve been conditioned to expect at least five updates to download every patch Tuesday.

    But, and this is a big but, how many third party bits of software installed on Windows is actually secure? How many of them use the Internet to check for updates on the users behalf or in some way communicate with the Internet?

    Every single one of them, unless well written is an attack vector. Chris Miller has pointed out that the recent SQL injection attacks could have been avoided if programmers had just validated the input strings before executing that insert query.

    Sure Microsoft is not the first name that springs to mind when you think about tools to help programmers write more secure code. But it’s clear that a lot of programmers tend to avoid it in Windows environments because it’s never been enforced enough.

    I think that the problem is that this mentality has been allowed to go on way too long amongst Windows programmers. Microsoft should make these tools free if they want to encourage developers to use them, otherwise they risk them being ignored.

    Out of genuine interest, what do Linux programmers do? If you’re in an Open Source project, and have created some code. What factors come into play when security is involved? Does a certain programming methodology get used? Is code peer reviewed? What does the O/S stop you from doing? How about the compiler or code tools like lint? I’m not trying to bait or anything, I’d really like to know since having a lower user base than Windows cannot account for less security problems on its own.

    If a programmer has access to tools to help securing their program, I welcome it, even if it is from a company that’s not renowned for secure code.

    Thanks in advance for taking the time to respond to my Linux question.

  32. Will Godfrey Silver badge

    Security, Oh Yeah!

    I think all programmers should be forced to spend at least 6 months programming 6502 code, in assembler, with only a cassette tape for storage.

    It doesn't take long to learn the importance input validation, buffer/stack length checks, memory management etc.

  33. Captain DaFt

    Actually, it's true

    "Microsoft will show world+dog how to write secure code "

    They just demonstrate by bad example, that's all!

  34. Ambi Valent

    I wonder..

    If you are driving down the street in your motorboat, and your wings fall off, how many secure lines of code does it take to fill a dog-house?

    Rats, wish we had a dog icon.....

  35. Tom Thomson

    @Steve B

    "MS and the IBM PC put back computing by at least 25 years, what's another few."

    No, that's completely wrong. Blame Intel and Sun and IBM and MIPS if you like, but not MS. We used to have hardware that helped makewriting secure code easy (think of the Burroughs stuff, the ICL stuff, coming out in the early 70s, the research at Manchester and at Oxford and at Cambridge. Then we got RISC and Z80 and 8085 and all the rest of the stuff produced by companies who decided that having any protection in hardware made the hardware more expensive and gave you less bang per buck, and it became much more difficult to write secure code. The guys who sold you more bang for your buck were very careful not to tell the poor naive customers that they would get a lot less security for their buck. Blame Bell Labs (Dennis Ritchie and Bjarne Stroustrup) if you like: we once had high level languages that helped us write secure code, and language gurus who promoted secure techniques. Then these guys popularised very low level languages (C, C with Classes, C++) and a programming approach that glorified unsafe pointer arithmetic. These languages had no imaginable way for a compiler to rack references (so no useful type safety). The later versions perverted the concepts of abstract data types and object orientation that we had used for years. The almost universal uptake of first C and later C++ ensured that it was almost impossible to write secure code for any large scale development. These heroes (the founders of the most popular modern development techniques) told us C (and later C++) would reduce development costs (which was actually far from true compared with using a decent lisp variant, or Algol 68, or Coral, or almost anything but an assembly language) - and didn't bother to tell us that they would increase support costs enormously.

    Yes, Windows is horrible, and MSDOS was pretty horrible too. But nothing Microsoft did was as damaging to secure computing as what those others did.

This topic is closed for new posts.

Other stories you might like