The First Step on the Road to More Secure Software is admitting you have a Problem

Oh No! Security Metrics!

The Security Development Lifecycle — Fri, 18 Apr 2008 16:08:15 GMT

Hello, Michael here. A colleague sent me a link to a blog post from a couple of days ago: Pete Lindstrom

Microsoft SDL Process – in detail

The Security Development Lifecycle — Thu, 10 Apr 2008 00:45:32 GMT

Hello all – Dave here… I am currently at RSA and decided to take a few moments to blog about some updates

Sempre a proposito di sicurezza...

Normal people bore me! — Wed, 02 Apr 2008 09:45:06 GMT

Sempre a proposito di sicurezza...

re: The First Step on the Road to More Secure Software is admitting you have a Problem

SDL Team — Mon, 10 Mar 2008 17:33:34 GMT

Responding to Igor - the only posts we screen are spam, I don't see any reply from you listed in the blog logs. We encourage open and objective dialog.

Securitate in Windows Server 2008

Weblogul lui Zoli — Wed, 05 Mar 2008 12:37:17 GMT

Când am lansat Windows Vista și Office 2007 în decembrie 2006 , am amintit că dacă m-ar întreba cineva

re: The First Step on the Road to More Secure Software is admitting you have a Problem

Igor Levicki — Wed, 05 Mar 2008 08:29:12 GMT

I posted a reply yesterday but seeing it is not up, it seems there is some censorship going on here.

re: The First Step on the Road to More Secure Software is admitting you have a Problem

TF_kj — Wed, 05 Mar 2008 01:06:18 GMT

Sorry, one last question that I forgot:

3. How many vulnerabilities are fixed silently in patch updates? Does anyone at Microsoft record patched vulnerabilities that are not publicly reported?

re: The First Step on the Road to More Secure Software is admitting you have a Problem

TF_kj — Wed, 05 Mar 2008 01:00:23 GMT

Michael, great post. I like the bullets:

* Microsoft recognized it needed to improve security.

* Bill said so (as did the rest of senior management)

* Our group swung into action and helped the rest of the company come up to speed on security issues.

* The Microsoft development processes changed to adopt the SDL

I respect the process changes that you guys have implemented. Great to see Msoft participate at BlackHat too.

There always will be vuln in your code, but you guys have made progress. Congrats.

Couple other things:

1. How come it took Bill so long to address the glaring security problems in Microsoft's products and development processes?

2. UAC has gotta go.

Security Development Lifecycle trumps code complexity

Microsoft — Tue, 04 Mar 2008 01:41:42 GMT

http://weblog.infoworld.com/securityadviser/archives/2008/02/security_develo.htmlFebruary 29, 2008In

re: The First Step on the Road to More Secure Software is admitting you have a Problem

SDL Team — Mon, 03 Mar 2008 20:48:19 GMT

Igor - I agree with very little of what you said!

Sure there are fixes in Vista made because of SP2 hindsight, but there are a lot of bugs that DON'T affect Vista because we made so many important wholesale code changes. We also added SAL annotations to Vista code that helped us track down bugs. I think analyzing XP vs Vista is perhaps the most honest comparison because the code is similar.

The point about this being a publicitiy stuff is again incorrect. And the open source guys DO need some direction to strengthen their code. One guy can't do it.

As for "You have also (wrongly) suggested that they do not admit the problem of (in)security, and that only you do." Show me some text ANYWHERE stating from <some guy at Software Shop A> stating that <Software Shop A> has security bugs. What you said sounds like only Microsoft has security bugs!