Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft SDL report card

From: Gary McGraw <gem () cigital com>
Date: Tue, 5 Apr 2011 09:25:13 -0400
hi ben,

Strides (with an s).  Take a quick look at the Microsoft report card at
the beginning of this thread
<http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9-
487a-a2e2-8da73fb9eade>.  Then see if that sparks more specific questions.

Does Microsoft make bug/flaw free software?  No.  Is the software they are
producing today far superior to the kernel-less bug ridden disaster of the
mid-90s?  Yes.

FWIW, Google is also working diligently on software security but is taking
a different tack (with more focus on unit testing and much less on static
analysis, for example).  Google seems to have been blindsided by sticking
their software out in attackerland (on desktops or running phones) after
relying on their "slit" interface for so many years.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com




On 4/5/11 7:32 AM, "Ben Laurie" <benl () google com> wrote:


On 4 April 2011 16:45, Gary McGraw <gem () cigital com> wrote:

In my opinion, the most interesting thing about stuxnet was the payload.


So what was the huge stride made since Code Red wrt Stuxnet?


See:
How to p0wn a Control System with Stuxnet
<http://www.informit.com/articles/article.aspx?p=1636983> (September 23,
2010)

You might also listen to Langner on Silver Bullet (the longest episode
ever, but a good one):
http://www.cigital.com/silverbullet/show-059/

gem


On 4/1/11 9:16 AM, "Ben Laurie" <benl () google com> wrote:


On 31 March 2011 13:03, Gary McGraw <gem () cigital com> wrote:

hi sc-l,

Yesterday, Microsoft released an SDL report card of sorts called "The
SDL Progress Report."  It covers the history of the SDL from 2004-2010.
You should read it.


http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61
c9
-487a-a2e2-8da73fb9eade

For some reason the tech press is mostly discussing DEP and ASLR
adoption (covered on pages 18 and 19).  Though I guess that is the
"news" hook the PR flacks are hyping, I think there are many other
parts
of the report that have plenty to teach about how a software security
initiative evolves.  (WRT the two anti-exploit tactics, see an article
I
co-authored with Ivan Arce from Core Assume Nothing: Is Microsoft
Forgetting a Crucial Security
Lesson?<http://www.informit.com/articles/article.aspx?p=1588145> (April
30, 2010).)

Microsoft has made huge strides since the days of CodeRed, NIMDA and
Slammer.


Stuxnet?


 The best part of what they're doing is being very open about the
progress they are making and the approach that seems to be working for
them.  I, for one, would love to see other reports like this issued by
software vendors.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at -
http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at:
http://twitter.com/KRvW_Associates
_______________________________________________







_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: