Secure Coding mailing list archives
Re: Microsoft SDL report card
From: Gary McGraw <gem () cigital com>
Date: Tue, 5 Apr 2011 09:25:13 -0400
hi ben, Strides (with an s). Take a quick look at the Microsoft report card at the beginning of this thread <http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9- 487a-a2e2-8da73fb9eade>. Then see if that sparks more specific questions. Does Microsoft make bug/flaw free software? No. Is the software they are producing today far superior to the kernel-less bug ridden disaster of the mid-90s? Yes. FWIW, Google is also working diligently on software security but is taking a different tack (with more focus on unit testing and much less on static analysis, for example). Google seems to have been blindsided by sticking their software out in attackerland (on desktops or running phones) after relying on their "slit" interface for so many years. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 4/5/11 7:32 AM, "Ben Laurie" <benl () google com> wrote:
On 4 April 2011 16:45, Gary McGraw <gem () cigital com> wrote:In my opinion, the most interesting thing about stuxnet was the payload.So what was the huge stride made since Code Red wrt Stuxnet?See: How to p0wn a Control System with Stuxnet <http://www.informit.com/articles/article.aspx?p=1636983> (September 23, 2010) You might also listen to Langner on Silver Bullet (the longest episode ever, but a good one): http://www.cigital.com/silverbullet/show-059/ gem On 4/1/11 9:16 AM, "Ben Laurie" <benl () google com> wrote:On 31 March 2011 13:03, Gary McGraw <gem () cigital com> wrote:hi sc-l, Yesterday, Microsoft released an SDL report card of sorts called "The SDL Progress Report." It covers the history of the SDL from 2004-2010. You should read it. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61 c9 -487a-a2e2-8da73fb9eade For some reason the tech press is mostly discussing DEP and ASLR adoption (covered on pages 18 and 19). Though I guess that is the "news" hook the PR flacks are hyping, I think there are many other parts of the report that have plenty to teach about how a software security initiative evolves. (WRT the two anti-exploit tactics, see an article I co-authored with Ivan Arce from Core Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson?<http://www.informit.com/articles/article.aspx?p=1588145> (April 30, 2010).) Microsoft has made huge strides since the days of CodeRed, NIMDA and Slammer.Stuxnet?The best part of what they're doing is being very open about the progress they are making and the approach that seems to be working for them. I, for one, would love to see other reports like this issued by software vendors. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: Microsoft SDL report card Steven M. Christey (Apr 01)
- <Possible follow-ups>
- Re: Microsoft SDL report card Gary McGraw (Apr 04)
- Re: Microsoft SDL report card Ben Laurie (Apr 05)
- Re: Microsoft SDL report card Gary McGraw (Apr 05)
- Re: Microsoft SDL report card Kevin W. Wall (Apr 05)
- Re: Microsoft SDL report card Ben Laurie (Apr 17)
- Re: Microsoft SDL report card Andy Steingruebl (Apr 18)
- Re: Microsoft SDL report card Ben Laurie (May 03)
- Re: Microsoft SDL report card Gunnar Peterson (May 03)
- Re: Microsoft SDL report card iarce (May 05)
- Re: Microsoft SDL report card Steven M. Christey (May 06)
- Re: Microsoft SDL report card Ben Laurie (Apr 05)