The First Step on the Road to More Secure Software is admitting you have a Problem

Michael Howard's Web Log — Thu, 21 Feb 2008 17:37:06 GMT

I just wrote an article over on the SDL blog about my observations from the industry to Jeff Jones' vulnerability

The First Step on the Road to More Secure Software is admitting you have a Problem

Noticias externas — Thu, 21 Feb 2008 18:11:24 GMT

I just wrote an article over on the SDL blog about my observations from the industry to Jeff Jones'

The First Step on the Road to More Secure Software is admitting ...

Windows Vista News — Thu, 21 Feb 2008 20:30:04 GMT

There is an interesting post over at blogs.msdn.com

Michael Howard asks an impolite question

Paul's Down-Home Page: Exchange, messaging, collaboration, security, and more — Thu, 21 Feb 2008 22:52:21 GMT

Microsoft's Michael Howard says that the first step on the road to more secure software is admitting that you have a problem. Is he right?

Admitting a problem means you're making secure code part of your process.

CGomez — Mon, 25 Feb 2008 19:37:47 GMT

If you are just making excuses, then you aren't letting secure code be part of your process.

Numbskulls who just blindly believe MSFT products can't possibly be getting better miss one key element.

MSFT has gone to great expense to change the culture, provide training, and HIRE NEW PEOPLE with experience in producing secure software.

That last point can not be emphasized enough.

MSFT is not just an organization with the same 40,000 developers (number made up) since 1981. It changes, grows, adds and subtracts. People join the company, leave, re-join... leave again, and maybe re-join by having their new company purchased.

That means MSFT has added security experience to its roster over the last ten years, and if you aren't a blind MSFT bigot, you can see the results.

re: The First Step on the Road to More Secure Software is admitting you have a Problem

Eric Fitzgerald — Thu, 28 Feb 2008 04:41:38 GMT

You forgot one of my personal favorites:

"The vulnerability counts are lower because Micro$oft is hiding all the extra fixes in their huge patches and not reporting them".

re: The First Step on the Road to More Secure Software is admitting you have a Problem

Igor Levicki — Mon, 03 Mar 2008 08:35:39 GMT

DISCLAIMER: I am not a Linux user, I am not anti-Microsoft. I just analyze things carefully.

Comparison of Vista with XP SP2 is flawed.

First, both operating systems share the same codebase. Many post SP2 (and perhaps even pre-SP3) fixes have been included into first Vista RTM build. If all those fixes were backported to XP it would be as secure as Vista without the annoying part (UAC).

Second, you are seeing 50% reduction on exactly what number of exposed Vista machines?

Has that 50% figure been normalized to account for much wider (and longer) exposure of Windows XP?

As for IM clients, they don't run under admin account on Linux, neither they are part of OS kernel team's responsibility. In Linux if something is not secure you can fix it yourself, wait for a patch, or uninstall it and use something else.

In Windows, single Internet Explorer can infect whole computer even if it is not used for surfing because its components are used in email, help, and office applications. You can't uninstall it, or fix it yourself.

As for UAC .vs. su, your argument clearly shows that Microsoft still doesn't grasp the concept of security.

Security doesn't mean nagging the user to find out whether he consents with this or that and thus shifting the blame on the user in case of a problem.

Proper security model must ask for credentials (not for consent!) and must do it sparingly. Microsoft security model is simply flawed.

As for "Let's fix it", it is just a publicity stunt. Open-source developers do not need to proclaim what they are going to do in order to be able to do it.

Moreover, you used a logical fallacy to convice that company to buy your product -- you basically said "yes, we have security issues but they have them too". You have also (wrongly) suggested that they do not admit the problem of (in)security, and that only you do.

Security issues of others should be irrelevant when someone is considering your company as an option. The only relevant thing is whether your option is secure and stable enough for their purpose. I wonder what kind of support and security bugfixing they will get once Microsoft phases out the OS or the application version you sold them.

For Microsoft, security was an after-thought. That is why you are now beating your chest and why you act all surprised how nobody else talks about it.

Finally, if BillG was the only person amongst ~40,000 people in Microsoft to realize that Windows is a glaring security black hole when everyone and their grandmother knew it, then I am afraid to think what will happen if and when he leaves permanently.

re: The First Step on the Road to More Secure Software is admitting you have a Problem

sdl — Mon, 03 Mar 2008 20:48:19 GMT

Igor - I agree with very little of what you said!

Sure there are fixes in Vista made because of SP2 hindsight, but there are a lot of bugs that DON'T affect Vista because we made so many important wholesale code changes. We also added SAL annotations to Vista code that helped us track down bugs. I think analyzing XP vs Vista is perhaps the most honest comparison because the code is similar.

The point about this being a publicitiy stuff is again incorrect. And the open source guys DO need some direction to strengthen their code. One guy can't do it.

As for "You have also (wrongly) suggested that they do not admit the problem of (in)security, and that only you do." Show me some text ANYWHERE stating from <some guy at Software Shop A> stating that <Software Shop A> has security bugs. What you said sounds like only Microsoft has security bugs!

Security Development Lifecycle trumps code complexity

Microsoft — Tue, 04 Mar 2008 01:41:42 GMT

http://weblog.infoworld.com/securityadviser/archives/2008/02/security_develo.htmlFebruary 29, 2008In

re: The First Step on the Road to More Secure Software is admitting you have a Problem

TF_kj — Wed, 05 Mar 2008 01:00:23 GMT

Michael, great post. I like the bullets:

* Microsoft recognized it needed to improve security.

* Bill said so (as did the rest of senior management)

* Our group swung into action and helped the rest of the company come up to speed on security issues.

* The Microsoft development processes changed to adopt the SDL

I respect the process changes that you guys have implemented. Great to see Msoft participate at BlackHat too.

There always will be vuln in your code, but you guys have made progress. Congrats.

Couple other things:

1. How come it took Bill so long to address the glaring security problems in Microsoft's products and development processes?

2. UAC has gotta go.

re: The First Step on the Road to More Secure Software is admitting you have a Problem

TF_kj — Wed, 05 Mar 2008 01:06:18 GMT

Sorry, one last question that I forgot:

3. How many vulnerabilities are fixed silently in patch updates? Does anyone at Microsoft record patched vulnerabilities that are not publicly reported?

re: The First Step on the Road to More Secure Software is admitting you have a Problem

Igor Levicki — Wed, 05 Mar 2008 08:29:12 GMT

I posted a reply yesterday but seeing it is not up, it seems there is some censorship going on here.

Securitate in Windows Server 2008

Weblogul lui Zoli — Wed, 05 Mar 2008 12:37:17 GMT

Când am lansat Windows Vista și Office 2007 în decembrie 2006 , am amintit că dacă m-ar întreba cineva

re: The First Step on the Road to More Secure Software is admitting you have a Problem

sdl — Mon, 10 Mar 2008 17:33:34 GMT

Responding to Igor - the only posts we screen are spam, I don't see any reply from you listed in the blog logs. We encourage open and objective dialog.

Sempre a proposito di sicurezza...

Normal people bore me! — Wed, 02 Apr 2008 09:45:06 GMT

Sempre a proposito di sicurezza...

Microsoft SDL Process – in detail

The Security Development Lifecycle — Thu, 10 Apr 2008 00:45:32 GMT

Hello all – Dave here… I am currently at RSA and decided to take a few moments to blog about some updates

Oh No! Security Metrics!

The Security Development Lifecycle — Fri, 18 Apr 2008 16:08:15 GMT

Hello, Michael here. A colleague sent me a link to a blog post from a couple of days ago: Pete Lindstrom