Do many eyes make a bug shallow? - Port 25: The Open Source Community at Microsoft

Port 25 - Communications from the open source community at Microsoft
< Back to Blogs
Do many eyes make a bug shallow? by jcannon on June 30, 2006 01:43PM

Sam interviews Mike Howard, Senior Security PM at Microsoft around security in the operating system and how we think about & engineer security defenses into an operating system. What are the myths around security - do many eyes make a bug shallow? How do you protect and engineer against attack types that haven't been invented yet?


Video: Do many eyes make a bug shallow?

Also worth checking out: Mike just published a book - Security Development Lifecycle - that explains what the SDL looks like, how it is applied through the engineering process at Microsoft and how others can adopt & enhance their own development processes.

Related Links:
- Learn more at the upcoming Black Hat Conference on security processes - a couple folks will from MS will be presenting.
- Check our Mike's security blog.
- Check out the new Security Development Lifecycle book (Amazon)
- TechNet Security Center

Alternative Video Format:
- Download in MPEG4

Comments RSS
  1. einhverfr said:

    The openness of he platform is largely irrelevant except that it makes the process of analyzing the security of a given package a bit easier.

    The best thing to take away from this interview is that one will never be able to prevent all attacks.  That it is the structure and architecture of the software is what makes the software secure.

    I wasn't expecting much from this interview.  I still think that Microsoft does an unusually poor job in designing systems which fall back gracefully in the case of a security vulnerability.  However, it is refreshing to understand that there are people at Microsoft who truly understand secure software design.

    Best Wishes,
    Chris Travers
    Metatron Technology Consulting

    posted at 02:30AM 07/02/2006
  2. einhverfr said:

    I have been among those requesting OpenSSH in Vista.  However, I would specify that I think it needs to be a part of SUA on Vista Server rather than a workstation option.  There is no function I can think of for OpenSSH on the workstation that can't be either solved by GPO's or a client like PuTTY.

    Yet, the server is different.  One of the nice aspects of SFU was that it provided better remote commandline management capabilities to Windows Servers, thus allowing many people to be more productive wrt remote scripting.  Unfortunately, this was horribly insecure.

    OpenSSH ought to be seen the same way it is in the rest of the world-- as the successor of plain text telnet.  And I see only two ways forward for Microsoft-- fully kerberize telnet (including session encryption) on both your client and server or offer a kerberized OpenSSH for the server.

    If Telnet wasn't ever used, it would not have been included in SFU.  For the right audience it is very helpful.  And you hope that "Abbie" isn't administering your servers, don't you?

    Best Wishes,
    Chris Travers
    Metatron Technology Consulting

    posted at 02:46AM 07/02/2006
  3. fluke said:

    In Mike Howard's blog, he give strcpy() as an example of a banned API call for security reasons.  But in the Port 25 announced Longhorn Server Identity Management for UNIX components, there is a "ssod" application that must be run by root that calls strcpy() in 19 different places.

    Is the procedures that Howard talks about being applied to MS interop products and how can you explain the use of banned API calls in the ssod code?

    Thanks

    posted at 05:37PM 07/13/2006
  4. breiter said:

    "I have been among those requesting OpenSSH in Vista.  However, I would specify that I think it needs to be a part of SUA on Vista Server rather than a workstation option."

    I would like to see OpenSSH included in the base set of "unix utilities" shipped by Microsoft with SUA. But for some reason that is incomprehensible to me MSFT seems to want an arms-length distance there.

    The complete OpenSSH suite is actively being maintained for Interix (SFU/SUA) by Rodney Ruddock of Interopsystems along with a fairly substantial portage. It is a free download, you just have to register with the site.

    Rodney is one of the original developers of the Interix technology that is now "SUA". Interopsystems also has an enhanced OpenSSH that includes some GUI tools and chroot support for a reasonable fee.

    This arms-length thing may actually be a blessing in disguise because Interopsystems is, in my experience, more knowledgeable and more responsive than the SUA development team at Microsoft.

    [http://www.interopsystems.com/tools/warehouse.htm]

    posted at 12:12PM 07/24/2006
Post a Comment
*
*  

Media

Search
About jcannon

jcannon My first interaction with computers was in... More...

Read jcannon's Posts Subscribe tojcannon's Posts
Recent Posts by jcannon
 
Archive