Forgot your password?
typodupeerror
Microsoft Programming Security Software

Microsoft's Security Development Process Under CC License 164

Posted by timothy
from the share-nicely dept.
An anonymous reader writes "The H Online writes: 'Microsoft has placed its process for secure software development under a Creative Commons License. The company hopes that this will lead to more developers utilising its process for programming software more securely across the entire product lifecycle ...'"
This discussion has been archived. No new comments can be posted.

Microsoft's Security Development Process Under CC License

Comments Filter:
  • Re:secure? (Score:2, Interesting)

    by GarryFre (886347) on Sunday August 29, 2010 @12:46PM (#33409300) Homepage
    if the thieves are getting past the guards, I would not want to emulate them. Something is wrong and needs to change, and till its changed I would not want to copy a security model that isn't secure. The question is, is it insecure because of a failure in the model or is it because so many resourceful thieves are finding ways around the so called safeguards. Who can know?
  • Re:Oh boy... (Score:5, Interesting)

    by jimicus (737525) on Sunday August 29, 2010 @01:12PM (#33409396)

    I think it's simpler than that.

    Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot.

    But far too many third party developers seem to actively go out of their way to break any security - they seem to have some sort of mental block understanding that the assumptions you make when you're designing an application which will run on a system which you can more or less guarantee will only ever have one person using it (and that person has no realistic hope of screwing it up badly simply because there's so little to screw up) simply do not work on a modern multi-user, multi-tasking networked operating system.

    I've lost count of the number of applications - and these aren't crappy things you find on download.com, they're expensive commercial products that are intended to have multiple users - that explicitly expect the end-user to have local admin rights and their first support response is "Does the user have admin rights? No? Go away and come back when they do. I don't care if you can explicitly prove that this isn't the issue here...".

  • Secure from *what*? (Score:2, Interesting)

    by DoofusOfDeath (636671) on Sunday August 29, 2010 @01:13PM (#33409408)

    Secure from cracking, or secure from competition?

    Because, at least prior to Bush's Justice Department dropping all charges against Microsoft, the secound would be a pretty long list of felonies.

  • The Problem is... (Score:2, Interesting)

    by Greyfox (87712) on Sunday August 29, 2010 @01:37PM (#33409560) Homepage Journal
    No software can truly be secure. You have to assume that your security will eventually be breached and you have to make an effort to mitigate the damage when a breach occurs. If Microsoft and others want to help, they should be working to make the mitigation side of the equation easier.

    Companies that run these operating systems and other software do not think of security at all. They just assume that everything's fine. Home users are even worse. That attitude will also have to change for things to get better.

  • Re:Oh boy... (Score:3, Interesting)

    by Anonymous Coward on Sunday August 29, 2010 @01:43PM (#33409594)

    Pretty sure you have no idea about Unix internals vs NT internals. UNIX doesn't have ACL security.

    So, the "Unix internals vs NT internals" is resumed as UNIX not having ACL security?

    Pfffff.. Yeah, looks like you know a lot more on the subject.

    WRONG. Unlike windows, which only supports ONE ACL scheme which is builtin, the most variety of UNIXes out there supports complex ACL mechanisms through a modular design or patches. Windows ACLs are also very basic compared to the full access control provided by SELinux.

    Keywords: SELinux, GRSecurity, FS extended attributes, PAM, ...

    Now go back under the rock you came from.

  • Re:Oh boy... (Score:2, Interesting)

    by RobertM1968 (951074) on Sunday August 29, 2010 @04:43PM (#33410574) Homepage Journal

    Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you? Gee, adding things to the startup folder/registry means it might take what... two boots? to fully infect a machine with a piece of malware that has then gained full privileges? I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges. All it took, on a locked down machine, was a couple reboots. So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.

  • Re:Oh boy... (Score:3, Interesting)

    by man_of_mr_e (217855) on Monday August 30, 2010 @05:28AM (#33413268)

    WTF are you prattling on about? .NET insecure? Seriously? Do you even know what you're talking about? You are making vague claims that make little sense. Like calling the Firefox plug-in a security flaw.. It's using the mechanism that Firefox provided for machine wide-plugins. Firefox has since improved on that, but it wasn't MS's fault nor was it a security flaw.

    Please, point me to some evidence of any severe unpatched .net flaws or exploits. I don't know of any. I think you are confused and simply applying catchphrases you've heard and pretending you know what you're talking about.

Facts are stubborn, but statistics are more pliable.

Working...