Secure Coding mailing list archives
Re: Microsoft SDL report card
From: Ben Laurie <benl () google com>
Date: Fri, 15 Apr 2011 15:33:29 +0100
On 6 April 2011 03:20, Kevin W. Wall <kevin.w.wall () gmail com> wrote:
On 04/05/2011 09:25 AM, Gary McGraw wrote:hi ben, Strides (with an s). Take a quick look at the Microsoft report card at the beginning of this thread <http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9- 487a-a2e2-8da73fb9eade>. Then see if that sparks more specific questions. Does Microsoft make bug/flaw free software? No. Is the software they are producing today far superior to the kernel-less bug ridden disaster of the mid-90s? Yes.I agree with Gary here. Attacks have gotten much more sophisticated since Gates' Trustworthy Computing memo was issued in Jan 2002. But I think that Microsoft has done pretty well in dealing with the attacks like buffer overflows and heap corruption that were so prevalent to their code in the late 90s to early 2000s. Of course, one could argue that was move because of a move away from C++ to .NET/C# than it was because of any secure SDLC they were pushing or that this was just the low hanging fruit. Nevertheless, they seemed to have mostly addressed these things where other companies haven't so they must be doing something right. I think that what is being overlooked here though is how much worse would things have been had Microsoft not had a such big push toward an SSDLC. We have to acknowledge at least that Microsoft no longer seems to be the #1 poster child for insecure software any longer. That unenviable position would now seem to belong Adobe with Flash and Acrobat Reader. Their two products along seem to account for more zombied PCs than all of the Microsoft software combined.FWIW, Google is also working diligently on software security but is taking a different tack (with more focus on unit testing and much less on static analysis, for example). Google seems to have been blindsided by sticking their software out in attackerland (on desktops or running phones) after relying on their "slit" interface for so many years.Odd how you mention Google and being blindsided. I think that's going to get a lot worse and happen soon. Shameless plug: I recently blogged about how Google and Apple are making the same mistakes with mobile devices that the personal computing industry made in the 80s and 90s. You can read about it here if you are interested: <http://off-the-wall-security.blogspot.com/2011/04/mobile-devices-are-we-repeating-history.html> I'd be interested in this crowd's (and especially Ben's, since he's now at Google) thoughts about it...am I just crying wolf here or do you think this is a real problem in the making?
Long delay, but... I think the assumption that a phone is a single user device is largely correct and so I can't really agree that it is a design error to design for that. However, I think you are completely right that tablets are not single user machines and that treating them as such is a disaster. Indeed, my own iPad gets rather less use than it might because I can't leave my account logged in on it... However, both of these pale in comparison with the elephant in the room: namely that all our widely used OSes are designed around a system intended to protect the machine from its users, and the users from each other. It is no longer generally the case that machines need protecting from their users (also known as "owners"). The primary threat now is software the user runs (which is assumed to be trusted in the prevailing model, how crazy is that?). Which is why I am interested in and devoting most of my time now to capability systems.
Regards, -kevin -- Kevin W. Wall "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: Microsoft SDL report card Steven M. Christey (Apr 01)
- <Possible follow-ups>
- Re: Microsoft SDL report card Gary McGraw (Apr 04)
- Re: Microsoft SDL report card Ben Laurie (Apr 05)
- Re: Microsoft SDL report card Gary McGraw (Apr 05)
- Re: Microsoft SDL report card Kevin W. Wall (Apr 05)
- Re: Microsoft SDL report card Ben Laurie (Apr 17)
- Re: Microsoft SDL report card Andy Steingruebl (Apr 18)
- Re: Microsoft SDL report card Ben Laurie (May 03)
- Re: Microsoft SDL report card Gunnar Peterson (May 03)
- Re: Microsoft SDL report card iarce (May 05)
- Re: Microsoft SDL report card Steven M. Christey (May 06)
- Re: Microsoft SDL report card Ben Laurie (Apr 05)