Re: [SC-L] Microsoft SDL report card
On 18 April 2011 18:46, Andy Steingruebl stein...@gmail.com wrote: On Fri, Apr 15, 2011 at 7:33 AM, Ben Laurie b...@google.com wrote: Which is why I am interested in and devoting most of my time now to capability systems. Ben, Is your work focused on the technical bits of this, or the human interaction pieces? In short: both. Seems to me that much of the work on technical implementations of capabilities, fine-grained permissions, MAC, etc. have been worked out repeatedly over time and we've never come up with very usable systems. Or ones that stay usable over time I would contend that actually, we haven't really ever tested usability because we've never really used these systems except in the lab. One of the things I'm excited about in our recent work is that we've started to make progress on hybrid models where capability stuff can coexist with existing stuff. For example, Caja and FreeBSD Capsicum. Try setting the permissions for an application when you install it, or figure out whether it is asking for more permissions than it really needs, etc? The underlying problem with these questions right now is that permissions are expressed in terms of low-level system services (e.g. file read/write), but actually we should be making decisions at higher levels where the permission correspond to things the user understands (e.g. my account at Google or my Flickr photos or this album in Picasa). Capabilities seem well suited to this level of permission management. Thoughts? - Andy ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Microsoft SDL report card
On 4 April 2011 16:45, Gary McGraw g...@cigital.com wrote: In my opinion, the most interesting thing about stuxnet was the payload. So what was the huge stride made since Code Red wrt Stuxnet? See: How to p0wn a Control System with Stuxnet http://www.informit.com/articles/article.aspx?p=1636983 (September 23, 2010) You might also listen to Langner on Silver Bullet (the longest episode ever, but a good one): http://www.cigital.com/silverbullet/show-059/ gem On 4/1/11 9:16 AM, Ben Laurie b...@google.com wrote: On 31 March 2011 13:03, Gary McGraw g...@cigital.com wrote: hi sc-l, Yesterday, Microsoft released an SDL report card of sorts called The SDL Progress Report. It covers the history of the SDL from 2004-2010. You should read it. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9 -487a-a2e2-8da73fb9eade For some reason the tech press is mostly discussing DEP and ASLR adoption (covered on pages 18 and 19). Though I guess that is the news hook the PR flacks are hyping, I think there are many other parts of the report that have plenty to teach about how a software security initiative evolves. (WRT the two anti-exploit tactics, see an article I co-authored with Ivan Arce from Core Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson?http://www.informit.com/articles/article.aspx?p=1588145 (April 30, 2010).) Microsoft has made huge strides since the days of CodeRed, NIMDA and Slammer. Stuxnet? The best part of what they're doing is being very open about the progress they are making and the approach that seems to be working for them. I, for one, would love to see other reports like this issued by software vendors. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Microsoft SDL report card
hi ben, Strides (with an s). Take a quick look at the Microsoft report card at the beginning of this thread http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9- 487a-a2e2-8da73fb9eade. Then see if that sparks more specific questions. Does Microsoft make bug/flaw free software? No. Is the software they are producing today far superior to the kernel-less bug ridden disaster of the mid-90s? Yes. FWIW, Google is also working diligently on software security but is taking a different tack (with more focus on unit testing and much less on static analysis, for example). Google seems to have been blindsided by sticking their software out in attackerland (on desktops or running phones) after relying on their slit interface for so many years. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 4/5/11 7:32 AM, Ben Laurie b...@google.com wrote: On 4 April 2011 16:45, Gary McGraw g...@cigital.com wrote: In my opinion, the most interesting thing about stuxnet was the payload. So what was the huge stride made since Code Red wrt Stuxnet? See: How to p0wn a Control System with Stuxnet http://www.informit.com/articles/article.aspx?p=1636983 (September 23, 2010) You might also listen to Langner on Silver Bullet (the longest episode ever, but a good one): http://www.cigital.com/silverbullet/show-059/ gem On 4/1/11 9:16 AM, Ben Laurie b...@google.com wrote: On 31 March 2011 13:03, Gary McGraw g...@cigital.com wrote: hi sc-l, Yesterday, Microsoft released an SDL report card of sorts called The SDL Progress Report. It covers the history of the SDL from 2004-2010. You should read it. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61 c9 -487a-a2e2-8da73fb9eade For some reason the tech press is mostly discussing DEP and ASLR adoption (covered on pages 18 and 19). Though I guess that is the news hook the PR flacks are hyping, I think there are many other parts of the report that have plenty to teach about how a software security initiative evolves. (WRT the two anti-exploit tactics, see an article I co-authored with Ivan Arce from Core Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson?http://www.informit.com/articles/article.aspx?p=1588145 (April 30, 2010).) Microsoft has made huge strides since the days of CodeRed, NIMDA and Slammer. Stuxnet? The best part of what they're doing is being very open about the progress they are making and the approach that seems to be working for them. I, for one, would love to see other reports like this issued by software vendors. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Microsoft SDL report card
In my opinion, the most interesting thing about stuxnet was the payload. See: How to p0wn a Control System with Stuxnet http://www.informit.com/articles/article.aspx?p=1636983 (September 23, 2010) You might also listen to Langner on Silver Bullet (the longest episode ever, but a good one): http://www.cigital.com/silverbullet/show-059/ gem On 4/1/11 9:16 AM, Ben Laurie b...@google.com wrote: On 31 March 2011 13:03, Gary McGraw g...@cigital.com wrote: hi sc-l, Yesterday, Microsoft released an SDL report card of sorts called The SDL Progress Report. It covers the history of the SDL from 2004-2010. You should read it. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9 -487a-a2e2-8da73fb9eade For some reason the tech press is mostly discussing DEP and ASLR adoption (covered on pages 18 and 19). Though I guess that is the news hook the PR flacks are hyping, I think there are many other parts of the report that have plenty to teach about how a software security initiative evolves. (WRT the two anti-exploit tactics, see an article I co-authored with Ivan Arce from Core Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson?http://www.informit.com/articles/article.aspx?p=1588145 (April 30, 2010).) Microsoft has made huge strides since the days of CodeRed, NIMDA and Slammer. Stuxnet? The best part of what they're doing is being very open about the progress they are making and the approach that seems to be working for them. I, for one, would love to see other reports like this issued by software vendors. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___