Forwarded from: Aj Effin Reznor <ajat_private> Apologies (well, kinda) for the length of this one. At least a week's worth of mediadung have built up and the dam now bursts ;) -aj. "InfoSec News was known to say....." > As an historical tidbit: Steve Lipner is one of the authors of the > Orange Book. That thing that MS wants people to believe that they conform to? :) > As a comment: Security as an imposed focus for Microsoft is heaven > sent, you heard me, heaven sent. Consider, as we No, not really. The concept and it's most base and *simplistic* level, yes. But, what "security" will come of it? Will MS "embrace and extend" they way they have so many other things, and wind up breaking more protocols (Kerberos, anyone?) and further complicating integration? Will they allow secure, SSH based communications to remote servers, but only from other like-blooded servers running their /special/ implementation of SSH? I've seen much discussion about this flying around since it was first announced by Bill The Gates, but I've seen little done to question exactly how MS is going to define this new security they will be producing, because let's face it, *we* [1] know that security is a process, and a procedure, and not a product. For MS, it will be a feature, at least until they find some way to put security on a CD and slap a price tag on it. [2] I'm certain (as in, would put money on it) that MS is going to both botch and bastardize this plan of attack. I'm very much in agreement with *hobbit*'s (or is it *hobbit's* ? :) mail on this subject. I mean, let's look for a moment at some of the content of the original article: "Under a new push to secure software code and convince customers that security is a top priority, Microsoft is putting its Windows developers, testers and program managers through a crash course in secure programming." The words "crash course" don't belong in the same sentence, paragraph, nor entire damn article about "security". Anyone else see humour in MS coders and "crash" courses? Would this perchance decrease stability further? :) Continuing: "Over the next month, the software giant's security-assurance group expects the training to pay off as more than 70 developer teams audit the various software components that make up Windows XP and the upcoming Windows .Net server operating systems." It would appead this "assurance group" has high expectations for... well, something they realistically shouldn't. MS products are routinely found to be repleat with buffer overflows, among a sundry collection of other faults and vulnerabilities. I know this is review for just about everyone here with a clue, but it seems that MS is missing the obvious: Give up on fixing something which has been not repaired but largely constructed from gaffer's tape, and start from scratch. It's the *only* way they stand a chance of getting it right, but even then I don't suspect they'd get it right with a complete code rewrite anyways.... Continuing: "To keep the momentum rolling, after each team finished training, it had to draw up a plan of action for completing a review of any piece of software for which the group was responsible. In total, Howard and his group have received more than 70 plans detailing what teams are going to do throughout February to secure their piece of the Windows operating system. "Every group that contributes to the CD has drawn up a plan to mitigate security risks," Howard said. Key to the plans is a measure of success--how the groups will know when they are done, he added." I suppose what really bothers me here is that MS is doing rapid security "training" and then these people, who wrote insecure software in the first place, are then the same ones writing their gameplan to fix it. Ummmm, who's checking the homework here? There's no mention of this, and I feel rather strongly that the people that are cranking out inherently insecure software are the ones tasked to fix it... chances are it won't be getting fixed too well the first few times around. Curious, if this whole initiative bombs as poorly as I suspect it will, and MS products are still found to be rather swiss cheesey, how long til MS scraps the whole thing, and denounces "security" as being "something hyped by the media, which (we) found that the consumers really actually had no interest with in the first place" ? Finalizing with the original article: " "Every group that contributes to the CD has drawn up a plan to mitigate security risks," Howard said. Key to the plans is a measure of success--how the groups will know when they are done, he added." Hell, either they didn't *care* if it was written to be secure in the first place, or they didn't know. I refuse to accept that the apathy (or uneducation) that allowed MS products to devolve into what they are will be able to recognize and correct their own errors. How *will* they know when they are done? > (*) Disclaimer -- I am a security guy and I could not be > happier for both personal and commercial reasons. [1] "We" being any competent security practioners [2] I often joke that the blank disc on a stack of bulk CDs is the book "All We Know About Security" from Microsoft Press. How long til they actually have an offering? -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 04:46:50 PST