Microsoft's Security Development Process Under CC License 164
An anonymous reader writes "The H Online writes: 'Microsoft has placed its process for secure software development under a Creative Commons License. The company hopes that this will lead to more developers utilising its process for programming software more securely across the entire product lifecycle ...'"
Oh boy... (Score:2, Insightful)
Cue a multitude of Slashbot posts pointing out that Microsoft could never do "secure software development".
That Microsoft Icon On Slashdot (Score:3, Insightful)
Isn't it long past time it be updated and possibly the correct one be used?
Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.
It would be like used the Edsel to represent Ford, or still using the New Coke logo.
It no longer serves its purpose, and says more about slashdot than Microsoft these days.
Seriously? (Score:4, Insightful)
The PROCESS is Creative Commons licensed. Not the tools. Ok, but you know what? I would never have taken Microsoft as an example of a company whose secure coding practice I would want to follow.
Just sayin'
And why bother with a CC license for this? Just publish the practice, and don't take out "business process" patents. Microsoft did that with "Code Complete".
Anyway, I now have to read the frakkin stuff, just to stay on top of it. Maybe I'll be pleasantly surprised...
I hope
Re:Oh boy... (Score:5, Insightful)
Yes and no. The MS OS is actually written with a lot of safeguards in place to make the OS more secure. Years of being attacked tends to make one a bit defensive and certainly more technically adept.
I think their problems are on multiple fronts:
Overly complex code
Lax permission requirements,
Too many admins (still default on workstation installs)
Poorly written apps that in turn requires them to bend the rules or to provide workarounds.
MS could take a hard line, and force apps to comply with OS guidelines, but they'd be shooting their compatibility in the foot. although I see them nudging folks in that direction, with more functions locked out by default, they have a long way to go. Instead, they bend over backwards to try to work around compatibility issues and legacy support, and as a result, leave tons of loopholes. I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...
Re:Trying what? (Score:2, Insightful)
M$
good job ruining any credibility your post might have had and classifying yourself as a troll.
MS Security... (Score:5, Insightful)
Re:Oh boy... (Score:4, Insightful)
Or "they're not done re-inventing UNIX yet."
Now, now, they've been reinventing VMS, not Unix, as anyone should know.
Re:secure? (Score:3, Insightful)
Re:Trying what? (Score:2, Insightful)
What are they trying? Not engineering. Not PR. (Score:3, Insightful)
Why waste time publishing that crap? It's not even good for PR because it only serves to highlight the failure. It's only worth is documenting years of fail and we have Mitre [mitre.org] and CERT [cert.org] for that. Every generation of Windows has been the model of bad design and insecurity, including Vista and Vista7. Before M$ reps revised it, /. even had a vista failure [slashdot.org] tag, for the version to come along after tagging was implemented. Otherwise there would have been a special tag for the XP SP2 [google.com] disaster.
The SDL is what has contributed to very shitty quality. Of course the raw material, the managers and the engineers have to be mentioned as being incapable.
Important point: it's a CCSA license (Score:3, Insightful)
Can we please get past the cheap shots about Microsoft's security, and pay attention to the trend wherein Microsoft, practically founded on opposition to sharing code, has been experimenting with open source licenses and making overtures to the FLOSS community?
Re:Oh boy... (Score:5, Insightful)
Yeah, as I indicated, it's called "Windows Updates" - check it out sometime!
Perhaps now you see what I am talking about... if not, check your hotfixes/ Windows updates, read what they supposedly fix, then look at the similarities between the multiple attempts to fix the same damn issue over and over again.
So the answer is... No, you don't have any real sources. The generic description that comes with a Windows Update is just that -- generic. They all sound pretty much the same. Even the MS security bulletins like you linked to are usually pretty scant on details because they're designed to give an overview, not the nitty-gritty exploit information found elsewhere. I did look around Google for references to privilege escalation issues with .NET and didn't find anything.
If multiple updates which all say "This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight." has you convinced they've been trying to patch the same vulnerability for 10 years, then you have other issues.
As it stands, the specific vulnerability you point out doesn't even mention privilege escalation! It's also blazingly obvious what "Users whose accounts are configured to have fewer user rights on the system could be less impacted" means. If you don't have admin rights the worst thing the malware can do is put some entries in your startup folder/registry. If you're a full-on admin then we're talking kernel-mode drivers, raw disk access, machine-wide registry changes, the whole shebang. Big difference between the two.
That's a fallacy. (Score:3, Insightful)
Software that accepts external inputs is secure if it rejects invalid or malicious input. That's all there is to it. And it's perfectly possible to write a program that does just that. It doesn't even have to be 100% bug-free.
Re:That's a fallacy. (Score:3, Insightful)
Software that accepts external inputs is secure if it rejects invalid or malicious input. That's all there is to it. And it's perfectly possible to write a program that does just that. It doesn't even have to be 100% bug-free.
That doesn't cover valid input which triggers a bug.
Even defining "invalid or malicious input" to include "otherwise valid input that just happens to expose a bug in the code" doesn't help, because you don't know what you'd need to filter out (or if you did, better fix the bug).
Also, security is not just input, it's also output. All kinds of output. For example, there's a class of security exploits which depend on timing (mostly cryptography and authentication related). It's not enough that input is validated and code is 100% bug free, it also has to be coded so that processing time (and even power consumption) doesn't depend on validity or content of input.
There *may* be 100% secure complex programs, but there is no way to know which they are, or if there really are any.
Re:What are they trying? Not engineering. Not PR. (Score:2, Insightful)
To be fair, there would no doubt be many M$ software engineers and coders know how to produce quality and secure code. It is the M$ marketdroids and bean counters who push it out the door before it is done, or cut out quality modules because it will cost money and not generate extra profits, or dismember features because they were only for marketing purposes or shunt stuff off to the next pretend version so they can sell it as a upgrade.
There are undoubtedly several cliques within M$ the useless Ballmerites of greed and B$ and the real computer geeks/nerds who enjoy what they are doing and want to take pride in their work and company (they just don't run the company or control the destiny of the software they produce).