Rather like Jim Jones showing world+dog how to make soft drink.
Type your comment here — plain text only, no HTML
After spending four years as an internal process for designing secure programs from the ground up, Microsoft's Secure Development Lifecycle could soon go mainstream. The company on Tuesday unveiled plans to help other organizations adopt comprehensive secure coding practices through three initiatives that will go live sometime …
Microsoft are, by any measure, one of the largest software development operations in the world. Their development effort, for its size, produces significantly fewer new vulnerabilities than most of their competitors (whether open or closed source).
If all developers could achieve the level of secure development currently demonstrated by Microsoft, we'd have a lot fewer web sites with gaping XSS and SQL injection vulnerabilities. It's not as though sanitization of input strings is a particularly new or difficult technique, but it's obvious that it's still not widely practised.
Secure development is not that difficult:
IF you write all your own code yourself;
AND you know what you're doing;
AND you have access to some fairly sophisticated testing tools;
AND you know how to use them.
But once you're looking at a team of 100 developers, the security of the systems produced is likely to be only as strong as that of the weakest (from a security standpoint) member of your team. Production of secure code is only possible with a strong, secure development process and very good QA. If Microsoft can assist in making this combination more common, good for them.
Say, do i read that right? It should basically become a security shopping mall where companies that do not have the capacity or will to care about security on their own can go and buy their secure hat for their otherwise as-always-before application? - In the words of AC: "Hahaha". (i don't claim to write particularly secure code)
"Bush will show world+dog how to speak in public"
"Oil companies will show world+dog how to take care of the environment"
"UK.gov will show world+dog how to keep citizens private data safe"
Sorry, it's just taken me 10 mins just to type those in between hysterical bouts of laughter, my lungs hurt now and I'm going to have a lie down...
Okay Chris, I'm not going to get drawn into the flamebait, merely point out that the vulnerabilities they DO produce, due to their all pervasive presence, affects so many more people and systems.
This little exercise is designed to look altruistic, but IMHO, is just another example of Microsoft trying to keep their grip on the web/internet.
I nearly sprayed half-chewed prawn sandwich over my monitor when I saw that headline!
Not sure about now but in the past their code creation abilities were far from ideal - read the book "Barbarians Led by Bill Gates" by Jennifer Edstrom and Marlin Eller for more on that.
I think you misunderstand how comments about MS articles work.
1) Call them M$, Microsloth, Microshaft. etc.
2) Slag off anything at all that they do, it's all evil and money grabbing
3) Slag them off a bit more
4) Suggest that they have never innovated in anything
5) Suggest that any problem with any system which runs MS software is the fault of the company
6) Linux rulez etc. etc.
(I'm home early today and looking for a challenge.)
Microsoft's implementations are a lot less flawed (think buffer overflows or weak ACLs resulting in obscure back-doors) than they used to be. That's down to their use of tools. Where their SDL hasn't delivered the goods is in the never-ending battle between the security experts and the idiots insisting on "ease of use" and "wow factor". (The idiots clearly won with Vista's UAC, for example.) If MS are making their tools more widely available, that's probably a good thing and if it isn't then you don't have to use them.
St Bill icon, because it doesn't get used much.
They were pretty much the only software company to take Apple seriously when they first started.
They partnered with IBM for OS/2
They pretty much single handedly broke the mainframe/big iron stranglehold on the datacentre
Development of office tools (yes there were others, I know)
They have pumped billions into UI development
... They were pretty much the only software company to take Apple seriously when they first started.
And your point is?
... They partnered with IBM for OS/2
Then renagaded on the partnership, launched office and windows leaving OS/2 (a very good OS IMHO) dead in the water
... They pretty much single handedly broke the mainframe/big iron stranglehold on the datacentre
We were talking inovation not shoddy business practices
... Development of office tools (yes there were others, I know)
Huh? Are you serious????
... They have pumped billions into UI development
And the result is Vista! Wheeeeeee, I'll have 2!
First off I can't believe that MS is using the acronym SDL (Simple DirectMedia Layer) which is a long time used Open Source acronym... maybe someone should sue them for confusing customers like they did with Lindows AKA Linspire.
Can someone please explain why MS supposedly fixes a vulnerability in say Windows 98 then when Windows XP rolls around it is vulnerable.... it is called copy past. Now being that I have been a security analyst for 4 years now and have done more VA's then you can shake a stick at I have to say that MS's way of dealing with a vulnerability is to shift memory space, therefore a vulnbot can't work without finding the memory space of the vulnerable code has moved to. Does anyone ever wonder why worms have a worm.a,b,c,d,e... that is because the actual vulnerability is not fixed what so ever it is just moved around so that existing worms don't work. A simple re-check of memory shows worm writers where it's moved to so then just need to make a simple tweak here and there to their worm and poof !!! it now works with the new "non-vulnerable code".
This is just code shifting not secure programing. Lies, all lies, stupid cat and mouse games. And BTW the hackers are always ahead of MS hence the reason why we have Patch Tuesdays and Black Wednesdays.... Hackers get the beta patch code find the vulnerability before MS releases the "Fix" and the moment they release the "Fix" they release their revision xyz of their currently existing worm/vulnerability/virus/malware.
I am just as sick and tired as anyone who, using a Windows computer has to apply security fix after security fix. I’ve been doing this for so long, I’ve been conditioned to expect at least five updates to download every patch Tuesday.
But, and this is a big but, how many third party bits of software installed on Windows is actually secure? How many of them use the Internet to check for updates on the users behalf or in some way communicate with the Internet?
Every single one of them, unless well written is an attack vector. Chris Miller has pointed out that the recent SQL injection attacks could have been avoided if programmers had just validated the input strings before executing that insert query.
Sure Microsoft is not the first name that springs to mind when you think about tools to help programmers write more secure code. But it’s clear that a lot of programmers tend to avoid it in Windows environments because it’s never been enforced enough.
I think that the problem is that this mentality has been allowed to go on way too long amongst Windows programmers. Microsoft should make these tools free if they want to encourage developers to use them, otherwise they risk them being ignored.
Out of genuine interest, what do Linux programmers do? If you’re in an Open Source project, and have created some code. What factors come into play when security is involved? Does a certain programming methodology get used? Is code peer reviewed? What does the O/S stop you from doing? How about the compiler or code tools like lint? I’m not trying to bait or anything, I’d really like to know since having a lower user base than Windows cannot account for less security problems on its own.
If a programmer has access to tools to help securing their program, I welcome it, even if it is from a company that’s not renowned for secure code.
Thanks in advance for taking the time to respond to my Linux question.
"MS and the IBM PC put back computing by at least 25 years, what's another few."
No, that's completely wrong. Blame Intel and Sun and IBM and MIPS if you like, but not MS. We used to have hardware that helped makewriting secure code easy (think of the Burroughs stuff, the ICL stuff, coming out in the early 70s, the research at Manchester and at Oxford and at Cambridge. Then we got RISC and Z80 and 8085 and all the rest of the stuff produced by companies who decided that having any protection in hardware made the hardware more expensive and gave you less bang per buck, and it became much more difficult to write secure code. The guys who sold you more bang for your buck were very careful not to tell the poor naive customers that they would get a lot less security for their buck. Blame Bell Labs (Dennis Ritchie and Bjarne Stroustrup) if you like: we once had high level languages that helped us write secure code, and language gurus who promoted secure techniques. Then these guys popularised very low level languages (C, C with Classes, C++) and a programming approach that glorified unsafe pointer arithmetic. These languages had no imaginable way for a compiler to rack references (so no useful type safety). The later versions perverted the concepts of abstract data types and object orientation that we had used for years. The almost universal uptake of first C and later C++ ensured that it was almost impossible to write secure code for any large scale development. These heroes (the founders of the most popular modern development techniques) told us C (and later C++) would reduce development costs (which was actually far from true compared with using a decent lisp variant, or Algol 68, or Coral, or almost anything but an assembly language) - and didn't bother to tell us that they would increase support costs enormously.
Yes, Windows is horrible, and MSDOS was pretty horrible too. But nothing Microsoft did was as damaging to secure computing as what those others did.