Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Programming Security Software

Microsoft's Security Development Process Under CC License 164

An anonymous reader writes "The H Online writes: 'Microsoft has placed its process for secure software development under a Creative Commons License. The company hopes that this will lead to more developers utilising its process for programming software more securely across the entire product lifecycle ...'"
This discussion has been archived. No new comments can be posted.

Microsoft's Security Development Process Under CC License

Comments Filter:
  • Oh boy... (Score:2, Insightful)

    by Anonymous Coward

    Cue a multitude of Slashbot posts pointing out that Microsoft could never do "secure software development".

    • Re: (Score:3, Funny)

      by somersault ( 912633 )

      Yeah, this is kind of like the church releasing its guidelines for picking up hookers under Creative Commons.

      • Re:Oh boy... (Score:5, Insightful)

        by DJRumpy ( 1345787 ) on Sunday August 29, 2010 @11:12AM (#33409156)

        Yes and no. The MS OS is actually written with a lot of safeguards in place to make the OS more secure. Years of being attacked tends to make one a bit defensive and certainly more technically adept.

        I think their problems are on multiple fronts:

        Overly complex code
        Lax permission requirements,
        Too many admins (still default on workstation installs)
        Poorly written apps that in turn requires them to bend the rules or to provide workarounds.

        MS could take a hard line, and force apps to comply with OS guidelines, but they'd be shooting their compatibility in the foot. although I see them nudging folks in that direction, with more functions locked out by default, they have a long way to go. Instead, they bend over backwards to try to work around compatibility issues and legacy support, and as a result, leave tons of loopholes. I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...

        • Re: (Score:1, Funny)

          I think their problems are on multiple fronts:

          Or "they're not done re-inventing UNIX yet."

          • Re:Oh boy... (Score:4, Insightful)

            by lgw ( 121541 ) on Sunday August 29, 2010 @12:30PM (#33409506) Journal

            Or "they're not done re-inventing UNIX yet."

            Now, now, they've been reinventing VMS, not Unix, as anyone should know.

            • Fair point. I could have used BOOT.INI;(n-1) more than once in the day.

        • by sznupi ( 719324 )

          So, still, the release (if it's very accurate in its desciption) could also act as a guideline of what not to do? ;p

        • Re:Oh boy... (Score:5, Interesting)

          by jimicus ( 737525 ) on Sunday August 29, 2010 @12:12PM (#33409396)

          I think it's simpler than that.

          Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot.

          But far too many third party developers seem to actively go out of their way to break any security - they seem to have some sort of mental block understanding that the assumptions you make when you're designing an application which will run on a system which you can more or less guarantee will only ever have one person using it (and that person has no realistic hope of screwing it up badly simply because there's so little to screw up) simply do not work on a modern multi-user, multi-tasking networked operating system.

          I've lost count of the number of applications - and these aren't crappy things you find on download.com, they're expensive commercial products that are intended to have multiple users - that explicitly expect the end-user to have local admin rights and their first support response is "Does the user have admin rights? No? Go away and come back when they do. I don't care if you can explicitly prove that this isn't the issue here...".

          • As Bill Gates once put it, they create software that adds new features. They don't think about big fixes, people don't buy software for big fixes.

            So it's the same at 3rd party software companies. They add new features so people buy their software, fixing the software security model isn't something many end users would care about unless you explained what benefits that would provide.

        • Re: (Score:3, Informative)

          by RobertM1968 ( 951074 )

          ...I think their problems are on multiple fronts:

          Overly complex code
          Lax permission requirements,
          Too many admins (still default on workstation installs)
          Poorly written apps that in turn requires them to bend the rules or to provide workarounds.

          You forgot a few very very important ones:

          - Way too much legacy code that was not written with network security in mind

          - Way too many technologies, that by their design and the functions they provide, can never be made secure (ActiveX, .NET Click Once and more)

          - NO interest in removing "core components" that compromise the security of Windows systems (.NET and ActiveX) as (1) too many of their clients use it and (2) (the really important one) those technologies are Microsoft's bread and butter in the ser

          • by bertok ( 226922 )

            Your comment about ActiveX is valid, but .NET is about as safe as Java. Other then implementation bugs, it's a secure virtual machine that can run applications in sandboxes, just like Java applets.

            Not everything Microsoft does is insecure.

            • That's odd. I thought there were hundreds of fixes (and near a dozen large patches) for the .NET framework due to a plethora of vulnerabilities. Well, I know that's the case. The list is daunting. I thought that the most recent one was just this month (3 fixes for exploit vectors).

              And I thought that Java implementations could not escalate privileges on a fully secured machine that a user was not using as an admin without explicit permission(s) being given. And I know that various .NET "technologies" allow

            • Other then implementation bugs, it's a secure virtual machine that can run applications in sandboxes, just like Java applets.

              Other than that, Mrs. Lincoln, how did you like the play???

        • Their problems mostly are that whatever they do, on the OS level, if it's not a "third party developers don't have to do anything", they seem to have to rollback/dilute whatever "Good" was in the offering.

          Partly because of the basic multi-user design, partly because of the pre-written unix-based apps, partly because as meaningless as unix 97 and posix are, they do kinda provide enough of a formal api os basis that third parties do not expect to be able to write just anything, has probably more to do with ho

      • by sznupi ( 719324 )

        Yeah, this is kind of like the church releasing its guidelines for picking up hookers under Creative Commons.

        Don't you mean "guidelines for running kindergartens"?

  • At least they're trying.
    • by symbolset ( 646467 ) on Sunday August 29, 2010 @11:15AM (#33409168) Journal
      This is not the Special Olympics.
    • Why waste time publishing that crap? It's not even good for PR because it only serves to highlight the failure. It's only worth is documenting years of fail and we have Mitre [mitre.org] and CERT [cert.org] for that. Every generation of Windows has been the model of bad design and insecurity, including Vista and Vista7. Before M$ reps revised it, /. even had a vista failure [slashdot.org] tag, for the version to come along after tagging was implemented. Otherwise there would have been a special tag for the XP SP2 [google.com] disaster.

      The SDL is what

      • Re: (Score:2, Insightful)

        by rtb61 ( 674572 )

        To be fair, there would no doubt be many M$ software engineers and coders know how to produce quality and secure code. It is the M$ marketdroids and bean counters who push it out the door before it is done, or cut out quality modules because it will cost money and not generate extra profits, or dismember features because they were only for marketing purposes or shunt stuff off to the next pretend version so they can sell it as a upgrade.

        There are undoubtedly several cliques within M$ the useless Ballmeri

    • Microsoft are very trying.

    • by HiThere ( 15173 )

      Oh?

      I'm not familiar enough with the license they chose, but does it guarantee patent protection? The thrust that MS is currently using against FOSS seems to depend on software patents. If they had chosen the GPL, or GPL3, or BSD, or AGPL I would have an idea of what the significance was, but Creative Commons isn't commonly used for FOSS software, so I don't know what that means as far as patents. (WRT copyrights I can make fair guesses, but that's a different matter.)

  • secure? (Score:3, Funny)

    by Murdoch5 ( 1563847 ) on Sunday August 29, 2010 @10:55AM (#33409056) Homepage
    Microsoft and Secure? I'm I missing something here.
    • Re: (Score:2, Interesting)

      by GarryFre ( 886347 )
      if the thieves are getting past the guards, I would not want to emulate them. Something is wrong and needs to change, and till its changed I would not want to copy a security model that isn't secure. The question is, is it insecure because of a failure in the model or is it because so many resourceful thieves are finding ways around the so called safeguards. Who can know?
      • Re: (Score:3, Insightful)

        by KarmaMB84 ( 743001 )
        Most of their problems have been in old code they're undoubtedly afraid to change until it's proven there's actually a vulnerability there. I haven't hard anything to indicate their fresh code produced since adopting their current security process is any more insecure than the stuff produced by the open source world.
        • Re:secure? (Score:4, Informative)

          by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Sunday August 29, 2010 @01:38PM (#33409880) Homepage

          Talk I've heard from friends in Microsoft indicate that they're quite paranoid about security, putting strict checks on all levels of development. To mention one small portion of it, C and C++ contain some functions that, if misused, can be easy attack vectors. VC++ has a number of non-standard replacement functions for these that they use that include runtime safety checks. They're warned off the "insecure" functions, and anyone that uses them needs a full rationale written up on why. Needless to say, most coders will have an adjustment!

        • Re: (Score:3, Informative)

          by symbolset ( 646467 )

          Actually, even dead-simple basic security like closing ports by default, reducing default services, not including the current working directory in the executable or library search paths, not auto-running anything, reducing app attack surface by turning off embedded format decode by default and a vast many other things are completely off the table at Microsoft. Doing security breaks backward compatibility. It removes popular features, and the fact that the features are in and of themselves the security vul

    • yup. it'll be a "how to develop secure apps suing our innovative methods, so your .NET apps will always be fully unbreakable, blah blah blah, buy Visual Studio and download the free secure option guidance pack now".

      They never give anything away for free that isn't a loss-leader for you to buy some of their other products.

  • by Anonymous Coward on Sunday August 29, 2010 @10:56AM (#33409072)

    Isn't it long past time it be updated and possibly the correct one be used?

    Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.

    It would be like used the Edsel to represent Ford, or still using the New Coke logo.

    It no longer serves its purpose, and says more about slashdot than Microsoft these days.

    • Mod this coward up. AFAIK there are no other icons on /. that are designed to denigrate the subject.

      • Balmer's ugly, bald, sweaty, monkey-boy mug for the Microsoft icon?

        Gates is gone and now the marketing and legal departments are now in charge over there.

        Might as well call a spade a spade...

    • Isn't it long past time it be updated and possibly the correct one be used?

      Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.

      It would be like used the Edsel to represent Ford, or still using the New Coke logo.

      It no longer serves its purpose, and says more about slashdot than Microsoft these days.

      I disagree. The Edsel is dead and gone. The legacy Gates has left us is definitely very alive and prevalent. There is the big difference. Unless .NET and ActiveX are entirely killed and Windows is honestly rewritten from the ground up, and the damage that Microsoft has done to competitors is reversed, then Gates' legacy - especially as related to things like this topic, is alive, well and still on control of most of the PC related marketplace. Credit where credit is due thus indicates it should be his logo

      • Comment removed based on user account deletion
        • A MUCH more appropriate icon would be Ballmer in a jester hat with a I heart Apple!" T-Shirt, since he seems bound and determined to try to be Steve Jobs. And THAT would fit with the current situation at MSFT much more than the old Gates Borg, since without Gates it is like the Borg being led by Reno 911.

          Well, you've got my vote for that!!!! :-)

        • by gtall ( 79522 )

          Gates created a sclerotic company that cannot shoot straight. He succeeded because his monopoly was handed to him. Microsoft has never innovated anything. In the current environment, he'd be a failure..which is my suspicion as to why he gave up a boogied.

    • by vdboor ( 827057 )

      Isn't it long past time it be updated and possibly the correct one be used?

      Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.

      You mean we need a Ballmer version of the icon with Borg implants? :-)

  • Seriously? (Score:4, Insightful)

    by ratboy666 ( 104074 ) <fred_weigel@hot m a i l.com> on Sunday August 29, 2010 @10:57AM (#33409076) Journal

    The PROCESS is Creative Commons licensed. Not the tools. Ok, but you know what? I would never have taken Microsoft as an example of a company whose secure coding practice I would want to follow.

    Just sayin'

    And why bother with a CC license for this? Just publish the practice, and don't take out "business process" patents. Microsoft did that with "Code Complete".

    Anyway, I now have to read the frakkin stuff, just to stay on top of it. Maybe I'll be pleasantly surprised...

    I hope

    • Whose secure coding practices do you follow? Or if they're your own, please share them. Thanks.
      • Re:Seriously? (Score:5, Informative)

        by TheRaven64 ( 641858 ) on Sunday August 29, 2010 @11:27AM (#33409210) Journal
        CERT publishes a good set. I've worked with some of the people behind them on some proposals for the C1X standard and they're very bright people. I'd trust their recommendations long before I'd trust ones from Microsoft.
  • mistagged? (Score:4, Funny)

    by Anonymous Coward on Sunday August 29, 2010 @11:06AM (#33409120)

    Shouldn't this be tagged as "humor"?

  • MS Security... (Score:5, Insightful)

    by leromarinvit ( 1462031 ) on Sunday August 29, 2010 @11:26AM (#33409206)
    Ahh yes, I can see it now:
    • Never check your input, no matter where it comes from
    • Make sure to make your algorithms as complex as possible so you don't run out race conditions and other non-trivial bugs, preferably in security critical areas
    • Embed your security flaws in specifications you'll have to honor forever to maintain backwards compatibility
    • Most importantly: When (not if) somebody finds a bug and reports it to you, don't fix it at once. Only when an exploit is out in the wild you can even start thinking about how to fix the bug.
  • by Dracos ( 107777 ) on Sunday August 29, 2010 @11:27AM (#33409212)

    That the world needed a free lesson in how not to develop secure software?

  • Ugh, doc (Score:4, Funny)

    by diegocg ( 1680514 ) on Sunday August 29, 2010 @11:38AM (#33409262)

    Unless someone converts it to PDF I'm not downloading that....

    • by devent ( 1627873 )

      Unless someone converts it to PDF I'm not downloading that....

      Maybe you are suppose to modify and extend it.

  • Secure from cracking, or secure from competition?

    Because, at least prior to Bush's Justice Department dropping all charges against Microsoft, the secound would be a pretty long list of felonies.

    • Re: (Score:3, Informative)

      by John Hasler ( 414242 )

      The antitrust suit against Microsoft was not dropped and did not ever involve any criminal charges.

  • The Problem is... (Score:2, Interesting)

    by Greyfox ( 87712 )
    No software can truly be secure. You have to assume that your security will eventually be breached and you have to make an effort to mitigate the damage when a breach occurs. If Microsoft and others want to help, they should be working to make the mitigation side of the equation easier.

    Companies that run these operating systems and other software do not think of security at all. They just assume that everything's fine. Home users are even worse. That attitude will also have to change for things to get bet

    • That attitude will also have to change for things to get better.

      It won't. Security is a process, not a condition, but people don't think naturally in those terms because it requires continuous effort (and ongoing expense.) Most people prefer to just make an initial investment in security and forget about it. Now, that works when you're talking about a bank vault, maybe, but not computer security.

    • I see no reason why software can't be 100% secure. I just think it's unrealistic to expect this from commercial software written by people who don't really care.

      • by Urkki ( 668283 )

        I see no reason why software can't be 100% secure.

        Well, the reason is two-pronged.

        First, software can be 100% secure only if it is 100% bug-free. And the only software you can be sure is absolutely bug free is a "hello world" running on an embedded device without operating system. Except, hardware/FPGA/microcode/firmware bug might be exposed through your "hello world", leading to potential security exploit, so scratch that.

        Second, whenever you manage to make the software idiot-proof, nature develops a better idiot, who'll work around your puny artificial s

        • That's a fallacy. (Score:3, Insightful)

          by melted ( 227442 )

          Software that accepts external inputs is secure if it rejects invalid or malicious input. That's all there is to it. And it's perfectly possible to write a program that does just that. It doesn't even have to be 100% bug-free.

          • Re: (Score:3, Insightful)

            by Urkki ( 668283 )

            Software that accepts external inputs is secure if it rejects invalid or malicious input. That's all there is to it. And it's perfectly possible to write a program that does just that. It doesn't even have to be 100% bug-free.

            That doesn't cover valid input which triggers a bug.

            Even defining "invalid or malicious input" to include "otherwise valid input that just happens to expose a bug in the code" doesn't help, because you don't know what you'd need to filter out (or if you did, better fix the bug).

            Also, security is not just input, it's also output. All kinds of output. For example, there's a class of security exploits which depend on timing (mostly cryptography and authentication related). It's not enough that input is valid

            • by melted ( 227442 )

              >> That doesn't cover valid input which triggers a bug

              It does. That would be what I call "malicious input". It's perfectly possible to write programs that reject it or otherwise error out without doing any harm.

              My point is, there's nothing _fundamentally_ impossible about writing secure software. It can be done. It's just very hard and the cost/benefit ratio is not quite there to support it.

  • by FoolishOwl ( 1698506 ) on Sunday August 29, 2010 @01:16PM (#33409780) Journal

    Can we please get past the cheap shots about Microsoft's security, and pay attention to the trend wherein Microsoft, practically founded on opposition to sharing code, has been experimenting with open source licenses and making overtures to the FLOSS community?

    • Can we please get past the cheap shots about Microsoft's security, and pay attention to the trend wherein Microsoft, practically founded on opposition to sharing code, has been experimenting with open source licenses and making overtures to the FLOSS community?

      Not all CC licenses are free software/open source. In particular, the license that Microsoft used is CC-BY-NC-SA. This is not a free or open source license. The problem is the NC clause -- NC means non-commercial. A non-commercial license does not satisfy the definition of free software or open source.

  • So could someone with some knowledge please actually READ the darned document and say something relevant about it?

    To me it looks like common sense practices:

    - Make the software so it could work without administration priviledges except for certain actions. It should work under UAC with a non administrative account. To me this makes sense. 90 % of all security problems in Windows > XP are gone once you don't work with administrative priviledges, IIRC.

    - Software is not allowed to make the system more insec

  • Attribution-NonCommercial-ShareAlike 3.0 Unported

    Under some takes on this license, no for profit corporation (the idea is that everything such an entity does is by definition for profit) would be allowed to make use of the licensed work. And who will trust MS not to take such a view, now or at some point in the future once the damage is done...

    all the best,

    drew

  • This is not meant to be taken seriously, it's just PR so that non-technical folk see headlines like this in the news and think to themselves "Hmm, MS is leading an outreach to help others with security, they sure must know a lot if they're giving away all of this help and information and they must have a lot of confidence if they believe they can help their competition and it won't affect them!"
  • As Mahatma Gandhi said "First they ignore you, then they laugh at you, then they fight you, then you win."

    Balmer, and one comp-sci teacher, must be rueing the day that Linus questioned the accepted wisdom and stated is little OS project.

  • I know that RTA is not commonplace, so I guess I don't expect many to go even further and go to the MS SDL page, and then go even further to the "What is the Microsoft Security Development Lifecycle (SDL)?" page, but I was bored, so I did.

    What is the Microsoft Security Development Lifecycle (SDL)? [microsoft.com]

    The Microsoft SDL is a security assurance process that is focused on software development. It is a collection of mandatory security activities, grouped by the phases of the traditional software development

    • by David Jao ( 2759 )

      Ooooh, wow!!!! Microsoft is open sourcing a list of methods that developers should follow to ensure security of their applications!!!! Wow!!!

      It's not even an open source license. The license is CC-BY-NC-SA 3.0. NC as in non-commercial. This license does not satisfy any reasonable definition of open source/free software.

      Richard Stallman said that one of the reasons he opposes the CC licenses is because it's very easy for people to confuse the free CC licenses with the non-free CC licenses, and mistakenly think that a CC-licensed work is free when it's not free. I'm beginning to think that he's right.

  • That is very noble of them to make this available in hopes of "more developers utilising the Microsoft process for developing software".

    Unfortunately without an explanation this will go over most people's heads. It's one thing my boss likes to poke fun at...

    To "utilise" something is to use it for something other than its intended purpose.

    While searching for a good reference, I found this one to be appropriate [msn.com].

    • What's a "utilise"? I've never heard anyone utilize that term before.

  • It seems that a majority of posters here are out of touch with Microsoft's track record regarding security. It was terrible 10 years cut starting from XP SP2 they have done well.

    Those of you looking for a mainstream commercial software vendor that pays little regard to security should take a look at Adobe or Apple.

One picture is worth 128K words.

Working...