Re: Microsoft SDL report card

[Ben Laurie <benl () google com>]

On 6 April 2011 03:20, Kevin W. Wall <kevin.w.wall () gmail com> wrote:
> On 04/05/2011 09:25 AM, Gary McGraw wrote:
> > hi ben,
> >
> > Strides (with an s).  Take a quick look at the Microsoft report card at
> > the beginning of this thread
> > <http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9-
> > 487a-a2e2-8da73fb9eade>.  Then see if that sparks more specific questions.
> >
> > Does Microsoft make bug/flaw free software?  No.  Is the software they are
> > producing today far superior to the kernel-less bug ridden disaster of the
> > mid-90s?  Yes.
>
> I agree with Gary here. Attacks have gotten much more sophisticated since
> Gates' Trustworthy Computing memo was issued in Jan 2002. But I think
> that Microsoft has done pretty well in dealing with the attacks like buffer
> overflows and heap corruption that were so prevalent to their code in the late
> 90s to early 2000s. Of course, one could argue that was move because of a move
> away from C++ to .NET/C# than it was because of any secure SDLC they were
> pushing or that this was just the low hanging fruit. Nevertheless, they
> seemed to have mostly addressed these things where other companies haven't
> so they must be doing something right.
>
> I think that what is being overlooked here though is how much worse would
> things have been had Microsoft not had a such big push toward an SSDLC.
>
> We have to acknowledge at least that Microsoft no longer seems to be
> the #1 poster child for insecure software any longer. That unenviable
> position would now seem to belong Adobe with Flash and Acrobat Reader.
> Their two products along seem to account for more zombied PCs than
> all of the Microsoft software combined.
>
> > FWIW, Google is also working diligently on software security but is taking
> > a different tack (with more focus on unit testing and much less on static
> > analysis, for example).  Google seems to have been blindsided by sticking
> > their software out in attackerland (on desktops or running phones) after
> > relying on their "slit" interface for so many years.
>
> Odd how you mention Google and being blindsided. I think that's going
> to get a lot worse and happen soon. Shameless plug: I recently blogged
> about how Google and Apple are making the same mistakes with mobile devices
> that the personal computing industry made in the 80s and 90s. You can read
> about it here if you are interested:
>
>
> <http://off-the-wall-security.blogspot.com/2011/04/mobile-devices-are-we-repeating-history.html>
>
> I'd be interested in this crowd's (and especially Ben's, since he's now
> at Google) thoughts about it...am I just crying wolf here or do you think
> this is a real problem in the making?

Long delay, but...

I think the assumption that a phone is a single user device is largely
correct and so I can't really agree that it is a design error to
design for that.

However, I think you are completely right that tablets are not single
user machines and that treating them as such is a disaster. Indeed, my
own iPad gets rather less use than it might because I can't leave my
account logged in on it...

However, both of these pale in comparison with the elephant in the
room: namely that all our widely used OSes are designed around a
system intended to protect the machine from its users, and the users
from each other. It is no longer generally the case that machines need
protecting from their users (also known as "owners"). The primary
threat now is software the user runs (which is assumed to be trusted
in the prevailing model, how crazy is that?).

Which is why I am interested in and devoting most of my time now to
capability systems.

> Regards,
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________