Garrett Serack: Open Source Development at Microsoft : open source

Interesting thing found at OSCON: Taint

GarrettS — Thu, 24 Jul 2008 00:25:11 GMT

I attended a session this morning called "PHP Taint Tool: It Ain't a Parser" by Luke Welling. Luke introduced a tool he's working on at OmniTI that is designed to assist in sniffing out where the potential for untrusted input is handled. From the session description:

... You want to see where untrusted input can propagate taint within the application. In complex logic that might mean chasing many possible execution paths. Using an automatic tool to try to follow these paths without running all possible input variations is called static analyis. ... The Taint tool allows the PHP engine to do as much as possible, then cuts in at the last stage to analyze the compiled opcodes and trace possible flow of execution.

The Taint tool presents opcodes in a readable way, making it clear what lines of source got compiled into specific opcodes. It also performs a static analysis on the code, following the opcodes to attempt to trace all possible code branches and mark lines that tainted data can be passed to.

Essentially, the tool uses the parts of the PHP engine to compile PHP code to opcodes, and then tracks where data comes and goes, and highlights the code that handles data that *could* be tainted--that is, input from the user either by POST or GET parameters. This provides a facility for a developer to identify the lines that they should closely review to ensure that they are not accidentally introducing security holes (like cross-site-scripting opportunities).

Now, it's not-quite-ready for prime-time, but it's getting close, and the folks over at OmniTI intend to release it as open source when they are ready. When this gets released, I'll be really excited, as it looks like it could be really good for hunting down security holes.

I also attended Rasmus Lerdorf's (the Yahoo PHP guy) tutorial on "PHP: Architecture, Scalability, and Security" that was really quite good too, and he demonstrated a tool (the name of which I can't remember now...grrr) that they have at Yahoo that he points to a web page, and it starts throwing a large library of strings that may uncover security problems, but it does it from the client side. Unfortunately, he's not releasing it, not because he doesn't want to let folks find and fix their bugs, but because the release of a such a tool could bring about Internet Armageddon--it would likely find exploitable problems in the vast majority of the Internet.

Both approaches to finding application holes are useful, and it's clear from both talks that this is still a really large problem that developers need to address.

(I've had a problem with spam comments; I'll be addressing that soon, so if you see comments turned off you can drop me a email: garretts...at...microsoft...dot...com)

Looking for a few good outriders: PHP Developers

GarrettS — Wed, 16 Jan 2008 23:55:00 GMT

Hey y'all.

I've got some work goin' on that I sure could use a few hands that were real PHP savvy.

I'm looking for some short-term and some mid-term consultants to do some experimental work with PHP applications on Windows. I have need for some local (Redmond) and some can work from remote.

If you have some real fine PHP skills, including experience with databases, and have a track record of producing results, I'd be happy to hear from you.

Tell me... are you up to it?

Send me a mail: garretts at microsoft.com.

How to move the herd--one open source project at a time

GarrettS — Mon, 09 Jul 2007 00:52:00 GMT

Folks have been asking me, how can we believe that Microsoft is changing to see open source in a positive light.

Microsoft has been hiring a lot of people over the last several years--Since YE2002 we've went from ~50,000 employees to ~78,000 employees. That means the over 1/3 of the company has been with the company less than 5 years. Not only does that bring in new perspectives, but it also helps shape the company by changing the way people think. A lot of people who have been with Microsoft over 5 years have a different perspective, and have a lot of learning to do. The new blood however, has grown up with the world of Open Source, and has a different perspective. I'm interested in helping them the whole company see that, and cascade these changes through the enterprise. I'm sure that by focusing on the positives that we can do better.

All I ever ask, is two things:

Judge the company by its actions, and not by its words (Hmm. this sounded better when I was thinking it--these are words too... I guess you watch for actions--I'll try to point them out). My pappy always used to say "Don't judge people by their relatives." -- good advice at the best of times.
Help change Microsoft, by showing the company how it can work better by accepting Open Source, not as a threat, but an opportunity to engage customers of all kinds.

Over the last year, Microsoft product groups have started over 150 open-source projects, all hosted on CodePlex. My pappy also used to say "Never approach a bull from the front, a horse from the rear, or a fool from any direction." Well, pardner, lawyers are just as tricky to deal with. You can only imagine the wrangling that has gone on with the legal department to get projects started--it's still a tricky process, but it's evolving. We must aim to encourage more of that, and see more participation in the real world.

We have two extensions for Firefox that we've been involved with. (I'm still shocked at that!) The first, is a Windows Media Player plug-in. The second is the CardSpace Identity Selector extension that Kevin Miller and I wrote--and I aim to get some code added to the main Firefox build this year to help support Information Cards on all platforms that Firefox supports. Pat Felsted and the stalwart band of Identity gurus at the Bandit Project have been working hard towards this.

I'm resisting the temptation to do a whole-lot of one-offs, as I'm trying to find ways to scale the benefits I can provide to the community. I have a limited budget, but I have contacts and friends with deeper pockets. When my goals and theirs align, we can milk that for a lot.

There can be only one MVP program

GarrettS — Mon, 18 Jun 2007 20:05:32 GMT

I got to my office this morning, and found that gettin' off the horse too quickly often means steppin' in a cow pie.

Ah well, like my cousin Teddy used to say : “Lettin' the cat outta the bag is a whole lot easier than puttin' it back.” ... and he'd know... poor old Teddy got thirty some stiches from the cat when he tried.

So, when I said "Building an Open Source MVP Program" on Friday, I had meant of course, that I hadn't done so yet (hence the use of the future tense 'building', as opposed to 'running', 'maintaining', or even 'built'), and I'm going to work with the One And Only Microsoft MVP Program.

Having now fired off the email to the fine folks runnin' the program, let's hope that I can find a slough to clean my boots off.

Technorati Tags: Port25, Open Source, fearthecowboy

Open Source at Microsoft -- Herdin' cats or Cow Chips?

GarrettS — Fri, 15 Jun 2007 22:08:41 GMT

Howdy!

I've recently moved from the Federated Identity group into the Open Source Software Labs at Microsoft. I've been rather busy of late, finishing up things for the Identity folks, and getting things started over here in the OSSL, so I apologize for the silence.

Many folks have been askin' what this is all about, so I'll try to answer the common questions right now.

What's this new job?

I'm now the Open Source Community Lead here at Microsoft.

I'm responsible for building and connecting an Open Source Communities around Microsoft Platforms.
This is a pretty wide reaching role, meaning that I touch a lot of ground. Some of the highlights:

Seeking out Open Source projects we can assist (either by contributing code, MSDN licenses or whatever :D )
Speaking/Presenting with companies, conferences, groups and people
Building an Open Source MVP Program
Enlightening Microsoft Product Groups about Open Source, and finding opportunities for them
Facilitating communication between open source developers and Product Groups
Building transparency into Microsoft and Open Source (believe it or not!)

There have been a lot of changes in Microsoft in the last few years, that folks can't yet see, and I'm hoping to expose that type of thing to the world, and bring the world of Open Source to Microsoft.

So, what about the digital identity stuff?

Well, I'm still touching that often enough--I'm still helping get the FireFox Identity Selector stuff completed, I'm nearly finished the last of the text for the book I'm co-authoring Understanding Windows CardSpace and, I'm spinning up a project on CodePlex for open source identity frameworks.

I don't get it... Microsoft and Open Source? Are you sure?

I know... I know. Y'all got some reservations about Microsoft with regards to open source. Well, I'm not going to try convince you of anything. What I am going to do is to shine the light on the things Microsoft is doing to create communities in the Open Source world.

Add to that, I'm doin' some rustlin' inside of the company itself--as expected, there are a few tenderfoots 'round here who would just soon reckon' we didn't bother. Well, I got a cattle brand heatin' up just for the conversation.... We'll just see about that.

I remember what my pappy told me about tryin' to change the world: "If you're ridin' ahead of the herd, take a look back every now and then to make sure it's still there with ya". Well, I'll keep checkin', but y'all gotta try to keep up.

Technorati: Port25, Open Source, fearthecowboy