Secure Coding mailing list archives
Re: Microsoft SDL report card
From: Gary McGraw <gem () cigital com>
Date: Mon, 4 Apr 2011 11:45:09 -0400
In my opinion, the most interesting thing about stuxnet was the payload. See: How to p0wn a Control System with Stuxnet <http://www.informit.com/articles/article.aspx?p=1636983> (September 23, 2010) You might also listen to Langner on Silver Bullet (the longest episode ever, but a good one): http://www.cigital.com/silverbullet/show-059/ gem On 4/1/11 9:16 AM, "Ben Laurie" <benl () google com> wrote:
On 31 March 2011 13:03, Gary McGraw <gem () cigital com> wrote:hi sc-l, Yesterday, Microsoft released an SDL report card of sorts called "The SDL Progress Report." It covers the history of the SDL from 2004-2010. You should read it. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9 -487a-a2e2-8da73fb9eade For some reason the tech press is mostly discussing DEP and ASLR adoption (covered on pages 18 and 19). Though I guess that is the "news" hook the PR flacks are hyping, I think there are many other parts of the report that have plenty to teach about how a software security initiative evolves. (WRT the two anti-exploit tactics, see an article I co-authored with Ivan Arce from Core Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson?<http://www.informit.com/articles/article.aspx?p=1588145> (April 30, 2010).) Microsoft has made huge strides since the days of CodeRed, NIMDA and Slammer.Stuxnet?The best part of what they're doing is being very open about the progress they are making and the approach that seems to be working for them. I, for one, would love to see other reports like this issued by software vendors. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: Microsoft SDL report card Steven M. Christey (Apr 01)
- <Possible follow-ups>
- Re: Microsoft SDL report card Gary McGraw (Apr 04)
- Re: Microsoft SDL report card Ben Laurie (Apr 05)
- Re: Microsoft SDL report card Gary McGraw (Apr 05)
- Re: Microsoft SDL report card Kevin W. Wall (Apr 05)
- Re: Microsoft SDL report card Ben Laurie (Apr 17)
- Re: Microsoft SDL report card Andy Steingruebl (Apr 18)
- Re: Microsoft SDL report card Ben Laurie (May 03)
- Re: Microsoft SDL report card Gunnar Peterson (May 03)
- Re: Microsoft SDL report card iarce (May 05)
- Re: Microsoft SDL report card Steven M. Christey (May 06)
- Re: Microsoft SDL report card Ben Laurie (Apr 05)