On 04/05/2011 09:25 AM, Gary McGraw wrote: > hi ben, > > Strides (with an s). Take a quick look at the Microsoft report card at > the beginning of this thread > <http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9- > 487a-a2e2-8da73fb9eade>. Then see if that sparks more specific questions. > > Does Microsoft make bug/flaw free software? No. Is the software they are > producing today far superior to the kernel-less bug ridden disaster of the > mid-90s? Yes.
I agree with Gary here. Attacks have gotten much more sophisticated since Gates' Trustworthy Computing memo was issued in Jan 2002. But I think that Microsoft has done pretty well in dealing with the attacks like buffer overflows and heap corruption that were so prevalent to their code in the late 90s to early 2000s. Of course, one could argue that was move because of a move away from C++ to .NET/C# than it was because of any secure SDLC they were pushing or that this was just the low hanging fruit. Nevertheless, they seemed to have mostly addressed these things where other companies haven't so they must be doing something right. I think that what is being overlooked here though is how much worse would things have been had Microsoft not had a such big push toward an SSDLC. We have to acknowledge at least that Microsoft no longer seems to be the #1 poster child for insecure software any longer. That unenviable position would now seem to belong Adobe with Flash and Acrobat Reader. Their two products along seem to account for more zombied PCs than all of the Microsoft software combined. > FWIW, Google is also working diligently on software security but is taking > a different tack (with more focus on unit testing and much less on static > analysis, for example). Google seems to have been blindsided by sticking > their software out in attackerland (on desktops or running phones) after > relying on their "slit" interface for so many years. Odd how you mention Google and being blindsided. I think that's going to get a lot worse and happen soon. Shameless plug: I recently blogged about how Google and Apple are making the same mistakes with mobile devices that the personal computing industry made in the 80s and 90s. You can read about it here if you are interested: <http://off-the-wall-security.blogspot.com/2011/04/mobile-devices-are-we-repeating-history.html> I'd be interested in this crowd's (and especially Ben's, since he's now at Google) thoughts about it...am I just crying wolf here or do you think this is a real problem in the making? Regards, -kevin -- Kevin W. Wall "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents." -- Nathaniel Borenstein, co-creator of MIME _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
