“All software has security defects,” insists Michael Howard, senior security program manager at Microsoft. “You either do something about it, or you don’t.” In the past few years, Microsoft has learned to write more secure code. In a session given at last week’s TechEd conference, Howard explained some of the lessons that the company has learned in developing its Security Development Lifecycle, and shared advice for developers who want to improve the quality of their own code.
“You are either doing something, or you are not. ‘Talking about’ is a subset of ‘not’.”
Depends really. Educating others on how you’re improving is hardly ‘not’. There may be a long way to go, but nobody surely can argue that Microsoft are not making serious efforts and inroads into making more secure software.
but….
you cannot polish a turd
Speaking from experience?
That’s exactly how I titled a article I wrote about how Windows creates menus and the general installation of software in Windows.
http://thefnords.org/wordpress/?p=4
Personally, I’d rather they point out how they’ve improved after the fact. Much more impressive that way.
“In the past few years, Microsoft has learned to write more secure code.”
Maybe they have taken a serious look at open souce in order to learn how to write more secure code.
Actually, it’s probably the other way around. Microsoft is actually a fairly nice environment to work in with regards to programming from what I’ve heard. It seems to me that you’re just trolling, so I’m not particularly worried about convincing you, which is probably an unlikely event, although I did feel that somebody needs to be sticking up for them.
I may have written it with my tongue-in-cheek but not trolling. While I doubt the programmers at Microsoft scan open source software to learn how to write more secure code, I believe open source has helped put a public emphasis on security rather than just features.
I have a lot of respect for all programmers and those at Microsoft are no exception. My views on PHB’s are quite the opposite.
desNotes
Microsoft is actually a fairly nice environment to work in with regards to programming from what I’ve heard.
You have just heard, that’s the problem. If you had tried to develop .NET applications (not just a little minesweeper please, real apps.) without running into the many configurations problems brought by this heavily integrated environement, then I’d have liked to meet you. Since you haven’t, I’d like to meet the guy from whom you’ve heard it was fairly nice.
I have worked with .Net on professional applications and it actually was pretty nice.
I’am curious to know if you have tried making application that have client/server archecture with .NET . Have you used the Microsoft .NET environment to produce .msi packages to deploy your project on other platforms? Have you trid communicating with different database backend? After deployement, did it still worked out of the box?
I runned in all errors due to configuration/deployement problems, because we relied a lot on the Microsoft development environment.
When you spend two day trying to figure out why your development platform can connect to your database whereas your test platform cannot, and when you realize that you had to twickle one the deployement option hidden in a submenu that you have to reach on a right-click on the setup project icon… you are pissed basically.
See what I mean with heavly integrated interface? IMHO, it’s too much, and as a result it is not a nice experience at all.
Edited 2006-06-24 08:39
Yeah, there are annoyances. But overall, I still think it’s a nice experience.
Oh yeah, and I forgot the best.
If you develop ASP.NET, and want to open one of you project file, just to edit it quickly, it tries to connect to IIS and it takes an eternity just to open one file! Soon after we switch from VS6 to VS.NET, we all installed UltraEdit/Vim/Emacs on our machines. May be not just a sign…
Edited 2006-06-24 08:54
I would argue that many of Microsoft’s problems are the product of their corporate mentality. I think there are three key issues:
1) The “masses of programmers” approach. Microsoft has thousands of people working on any given product. That’s just too many. It leads to a system that nobody really understands entirely, and it creates diffusion of responsibility for bugs. Many other projects do similar things with far fewer people. There are a few dozen key people who do much of the work in Linux or FreeBSD. Apple has only a few hundred programmers working on OS X and the iApps. Small, highly-skilled, focused teams just produce better software.
2) The “not invented here” syndrome. Microsoft has a very severe case of NIH. Moreover, they don’t have adequate respect for the work done by experts in the field. Consider Direct3D versus OpenGL. It was years (and thousands of programmer years and millions of dollars) before D3D was competitive with OpenGL. Was that really necessary? Consider XPS. Do we really need an alternative to standards Postscript and PDF? Do you think Microsoft has anywhere near the level of experience Adobe does in the fields XPS will be targetted to?
3) The “big is beautiful” asthetic. No Microsoft product is simple. Everything is over-complex, over-engineered, and over-featured. Their products have created a whole industry of thousand page reference books, and its sickening. If an API requires a thousand pages to describe, it sucks. Plain and simple. Software that is more complex than necessary, more featurful than necessary, will have more bugs than necessary. It’ll be harder to understand and harder to use than necessary, and it will be more vulnerable to attack than necessary. Yet, Microsoft absolutely embraces complexity, and treats it as a virtue.
As long as Microsoft does not change these things, they will not write “good software”. They’ll get by, based on a monopoly of the market, billions in the back, and an army of programmers, but their software will continue to suffer for it.
1) Estimates are that somewhere around 2000-5000 people are modifying the Linux kernel.
2) See the discussions on LKML about, among other things, Reiser versus EXT3.
3) See the discussion elsewhere on this site about the 311 MB Linux kernel source tree.
I don’t Microsoft is alone in suffering from these problems.
1) Yes, there are thousands of people who have worked on Linux, but 5000 online contributers is quite different from 5000 full-time employees. Linus has remarked in the past that the majority of work on the kernel is done by a fairly small and stable set of core developers. The core team isn’t formally defined as it is in a project like FreeBSD, but it is there.
2) Reiser versus EXT3 isn’t a “not invented here” thing. It’s a “dramatic change” versus “incremental improvement to proven technology” thing. One thing about the Linux development process that might be mistaken for NIH is their rejection of the “Windows/Solaris/AIX/etc has this feature, so Linux should have it too”. That’s not NIH, that’s pickiness. The Linux developers, for better or worse, are quite conservative about buying into new features. The Reiser4 debate is quite a good example of this. Reiser’s assertion that Linux needs filesystem-based search to keep up with OS X and Windows has been strongly rejected.
3) Yes, the Linux kernel is huge. But the large majority of its bulk is actually contained in drivers, not core kernel features. Moreover, once you get down to the design, you find that the core features are relatively simpler than the corresponding ones in Windows. The kernel only has a couple of hundred system calls, even after all these years. It’s basic security mechanisms are fairly simple (compared to NT’s), and much of the API is highly orthogonal.
Of course, I’m not holding up Linux as the epitome of proper software design, but there is a strong argument to be made that given the scope of the project, the Linux development model gets a lot of things right. I think the NetBSD project is probably the most well-known project that really adheres to the principles of software development I talked about. For those unfamiliar with the NetBSD code — it’s beautiful. It’s just really good, solid, clean, well-designed code. And I think a lot of its quality is the result of its very disciplined development model.
I believe that there were 1000 attendees at OLS last year, the majority of whom were full time paid developers. Given that most companies send fewer than 1 in 10 developers to a conference like that, it is not at all difficult to believe that there are 5000 people paid to do full time development on Linux.
You might want to do a line count on drivers versus other things. The last time I did, I found that drivers accounted for about 1/3 the source code.
Given that Linux is 10 years old and, for the most part, is a less well implemented than the system it is based on, there’s a strong argument that its model is very inefficient and subject to thrashing.
NetBSD, by the way, is not developed in the same model as the Linux kernel, but I agree with you about the code quality. It, along with FreeBSD (and perhaps the others, Free/Net are the kernels I know well) are good examples of well developed source.
So the code Microsoft is writing right now even after all those lessons in writing more secure code still has security defects and it’s really just a matter of whether they decide to fix it or not?
So the code Microsoft is writing right now even after all those lessons in writing more secure code still has security defects and it’s really just a matter of whether they decide to fix it or not?
You can’t know this yet, as you are most likely NOT using software from the SDL program– Vista will be.
But even that will not be secure, only more secure.
Maybe they have taken a serious look at open souce in order to learn how to write more secure code.
Yeah, because OSS is inherently more secure right ๐
Secure code is secure. insecure code is insecure, period. The licensing has nothing to do with it.
[Braces himself for the “many eyes” comeback remark]
Sorry, he said, “All software has security defects“, so there is no such thing as secure code according to Michael Howard senior security program manager at Microsoft or did I get that wrong?
You got something wrong. Most people get it wrong. Security is not a binary property it is a matter of degree. No system is perfectly secure. Some systems are more secure than others, but none, not even orange book A1 systems, are perfectly secure.
Yeah, because OSS is inherently more secure right ๐
Secure code is secure. insecure code is insecure, period. The licensing has nothing to do with it.
[Braces himself for the “many eyes” comeback remark]
Fair point on the “many eyes” comeback, many people assume open code is safe because surely somebody else is auditing it.
And insecure code is just as big an issue for OSS as it is for proprietary apps, just ask Firefox
But that aside, it is worth pointing out that one advantage OSS has is the fact that vulnerability reports etc. are often accompanied by patches that are often pushed out as opposed to closed apps where vulnerability reports equate to a plea for help at the vendor’s discretion. And if there’s no patch readily available, you have the option to take it on yourself if you have the game to do so because the vuln is documented and the source is available. There is something to be said for that.
It’s not the licensing, it’s the development model. In a project like Linux, a few skilled and trusted people “own” the source, and patches get run through them before going in. That’s not necessarily true in an office environment. Moreover, OSS projects have no shipping deadlines to meet, no pressure from marketing to add features, etc. These things are all beneficial to the quality of the resulting code.
Yes, you are right there in that it’s beneficial. However, you also have to factor in that because there are no deadlines and are not working for anyone, there is little incentive to get things done in a timely manner. You also have to factor in that most OSS software (Firefox being one of the few exceptions) does not have any sort of QA process, or heck, even much of a standard SDLC. Of course, there are other factors too that I am forgetting.
It’s not fair to point out only the positive factors for one side and make any sort of conclusion (though yours was fair, that it’s beneficial to the quality of the code).
It’s not the licensing, it’s the development model. In a project like Linux, a few skilled and trusted people “own” the source, and patches get run through them before going in.
There were over 6000 changesets for the 2.6.16 to 2.6.17 update. Andrew Morton and Linus Torvalds can’t do a successful security audit on that much code in that short period of time, even if they weren’t doing aything else.
If a company is writing very very poorly security software and then changes and is writing only very poorly written software, then yes they are making program. BUT, they are still writing very poorly software. So the question is, not where they were but how they compare to everyone else. I would still say at least poor if not very poor.
One thing they could do to fix one HUGE problem with Outlook is this. Don’t let outlook send out any e-mail unless outlook can prove that a human did something at the local computer to create and send that e-mail. Wouldn’t this stop a lot of virus creating SPAM e-mails? I’d say it would probably stop 90% of the world’s SPAM if MS did just this one thing.
Uhhh no. Any smart virus just uses sockets and smtp. If it needs to, it could always grab the smtp info from the persons outlook and spam their address book, but it doesnt need to actually use outlook to do that.
“Microsoft on Making Software More Secure”?
I’m looking forward to the rest of the series – “Barry Bonds on Staying Popular” and “George W. Bush on Diplomacy”.
Barry Bonds is more popular now than ever.
Way to botch that comparison
ActiveX.
GO AWAY, ACTIVEX….=)