How vulnerable are software applications?

re: How vulnerable are software applications?

Mark Gordon — Wed, 18 Jun 2008 04:22:43 GMT

Microsoft Security Intelligence... It appears, in my opinion, those words do not even belong in the same sentence. Microsoft is yet to prevent a virus written by some bored 13 year old kid with C compiler from infecting a windows operating system, yet you try to convince us otherwise.

That sounds real similar to the way you spin that pathetic excuse for a development tool kit codenamed Visual Studio as being better then Visual FoxPro and Visual Basic. I suppose if a programmer enjoys writing 100's if not 1000's of lines of additional code (depending on the project) to get their work done then VS and .BLOAT are way better options then VFP or VB. Currently 80% of my applications are unforunately now developed in C# and .BLOAT and I'm yet to come across a single case where the VS application turned out to contain less code, provided the same level of performance and cheaper for my clients then a VB/SQL or VFP solution. What you are tell customers about VS is all smoke and mirrors. It is unforunate that so many developers are buying into your spin simply because they have NO experience with a "REAL" programming language and development studio which they can compare Visual Studio to.

Keep up the great work !

Best Regards,

.Mark

应用软件有多脆弱？

Joycode@Ab110.com — Wed, 18 Jun 2008 10:26:49 GMT

[原文发表地址] : How vulnerable are software applications? [原文发表时间]: Tuesday, June 17, 2008 5:56 PM by Somasegar

re: How vulnerable are software applications?

O Dahle — Wed, 18 Jun 2008 14:28:49 GMT

I know you at MS warns about "security by obscurity", but I would like to address an aspect of this that often causes security problems when (web) applications are being installed and does not work.

Often the error messages are on a generic form like "access denied", "missing privilege" or similar. And what is done by the installation guy? - oh yes, a lot: Access to everyone. Run application as administrator. Allow all kind of scripts, etc, and finally: IT WORKS! And delivery is overdue so the removing of privileges is left to "another day". So even if both OS, IIS and the application is secure by themselves, the result is not secure.

I would like error messages like "Read access denied to <folder> for <user>". You need privilege <privilege> to do operation <operation>.

Bad error messages are in my opinion a sort of "security by obscurity".

re: How vulnerable are software applications?

Eli Cohen — Wed, 18 Jun 2008 15:38:45 GMT

Firstly may I quickly thank you and your team for such an amazing product. VS2008 with dot net and WPF is truly amazing!

We understand that MS wants ISV's to develop apps that work in Partial Trust in order to improve the overall security of users. However, there are many features of WPF and dot net that make it extremely difficult to do so. Things like limited isolated storage space (0.5MB is really very small), XAML Serialization, drag and drop, even bitmaps effect do not work in Partial Trust. Our applications started out strictly only using Isolated Storage, not using the registry etc. in order that it would run in Partial Trust. Very early on in the development cycle it clearly did not make business sense for us to restrict ourselves in order that our desktop apps will run in Partial Trust.

As ISV's using MS development tools, we look to MS for providing us with a framework that will make it easy for us to develop in Partial Trust. Looking forward ...

re: How vulnerable are software applications?

Muralikrishna Nalajala — Wed, 18 Jun 2008 16:22:30 GMT

Hi Somasegar,

Its a value information you have given on security terms.

I read it but didnt understand much ,but it may help people who are already have knowledge about security models

re: How vulnerable are software applications?

Jeremy Gray — Wed, 18 Jun 2008 17:59:29 GMT

I make a living day to day using MSFT technology, and do really appreciate the efforts the company is making in security and other areas, but I do take one issue with your post:

Showing _disclosure_ trends of _operating systems_ on the left and _fixed_ trends of _database servers_ on the right is misleading at best.

It is great that the operating systems have had progressively less disclosures, but says nothing about how vulnerable they are because you didn't show their fixed trends or outstanding counts.

It is also great that SQL Server 2005 has had zero fixes, but again that says nothing about how vulnerable it is because you didn't show its disclosure trends or outstanding counts. It only says you've fixed nothing.

re: How vulnerable are software applications?

Somasegar — Thu, 19 Jun 2008 00:02:32 GMT

Hi Jeremey,

You make a good point. I should have clarified that.

The goal of the Microsoft SDL is to reduce the number and severity of vulnerabilities in software that is released to customers. Therefore, the relevant metric for measuring the success of the SDL are disclosed vulnerabilities. For more on security metrics see the following blog post on the SDL blog: http://blogs.msdn.com/sdl/archive/2008/04/18/oh-no-security-metrics.aspx.

For Vista, the disclosed vulnerabilities graph shows that the SDL has been effective in reducing the number of vulnerabilities in Windows Vista compared Windows XP. This is the goal of the SDL and why this is a relevant metric here. For the complete analysis of Windows Vista one-year vulnerability report including patch events and fixes, Jeff Jones’ full report can be found here: http://blogs.technet.com/security/archive/2008/01/23/download-windows-vista-one-year-vulnerability-report.aspx.

For SQL Server, the title of the graph is a bit misleading. The information in the graph actually represents the number of vulnerabilities that were “disclosed and fixed” for SQL server. The complete analysis, along with a comparison to database software from other vendors, was performed by David Litchfield of NGS Software and can be found here: http://www.databasesecurity.com/dbsec/comparison.pdf.

-somasegar

re: How vulnerable are software applications?

Somasegar — Thu, 19 Jun 2008 00:04:09 GMT

Hi O Dahle,

I agree with your comments on error messages. The product teams look constantly at how we can have our error messages be more relevant and meaningful and as much as we have made progress, I know we can do more here.

-somasegar

Security Development Lifecycle Resources Help ISVs

US ISV Developer Evangelism Team — Thu, 19 Jun 2008 02:25:08 GMT

It turns out that less than 10% of vulnerabilities disclosed through June 2007 were targeted at Operating

¿Cuán vulnerables son las aplicaciones de software?

Blog de Soma en español — Fri, 20 Jun 2008 00:41:54 GMT

Publicación del inglés original Martes, 17 de junio de 2008 5:56 PM PST por Somasegar En un informe de

re: How vulnerable are software applications?