Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: "Selling" a code-audit.

from [Michael Howard] Network Security [Permanent Link]
Subject: RE: "Selling" a code-audit.
Date: Mon, 20 Sep 2004 11:28:48 -0700 
I just got notice that this was accidentally dropped by secprog - hence
the resend.

[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard

[On-line Security Training]
http://mste/training/offerings.asp?TrainingID=53074


-----Original Message-----
From: Michael Howard 
Sent: Thursday, September 09, 2004 9:03 PM
To: Jason Coombs PivX Solutions; Yvan Boily; secprog@securityfocus.org
Subject: RE: "Selling" a code-audit.

Sorry for the delay getting back, I've been on vacation!

Shipping code to be used by millions of 'average people' is a very fine
balancing act. You have all sorts of things to worry about: security,
privacy, reliability, deliverable, useable, supportable, international,
compatible, and accessible and much, MUCH more. I think pulling 'half
the code' would really annoy a lot of people! Look at what we did in
XPSP2, you all read the headlines about how stuff broke. Pulling a ton
of code would not enamor users whatsoever!

I believe we're heading in the correct direction: education, writing
better code and fixing existing code, reducing attack surface, better
designs around threat models, better tools (btw, we're making PREfast
and Source Annotation Language avail in VS.NET "Whidbey" too :-) better
tests and so on. No-one'll ever reach perfection, but we're getting
better.

Btw, I have an upcoming article about attack surface reduction; simply
put it's just as important (imho) as better quality code. 

-----Original Message-----
From: Jason Coombs PivX Solutions [mailto:jcoombs@PivX.com] 
Sent: Saturday, September 04, 2004 8:18 PM
To: Michael Howard; Yvan Boily; secprog@securityfocus.org
Subject: Re: "Selling" a code-audit.

Michael,

A true cultural change would include realization that bugs in code are a
given before the code is even written, so a secure culture would never
allow code to be written in the first place unless the code is truly
important.

Then, instead of rushing to ship the code (remember Microsoft's motto in
the Netscape wars 'he who ships first, wins') the company with proper
security culture would second guess itself and remove half the code and
reduce the features and turn everything off by default and be absolutely
certain that the code that does ship does not expose, by default, any
attack surface.

How can a culture that first and foremost revolves around writing and
shipping code and features that execute on every box, whether or not the
box owner benefits by the execution of said code and whether or not the
presence of said features is valuable or just a big liability that costs
money to curtail, adopt simultaneously (for anything other than PR) the
exact opposite culture demanded by security?

Sincerely interested in your reply.
(...Hoping to learn something)

Jason Coombs
Director of Forensic Services
PivX Solutions, Inc.

-----Original Message-----
From: "Michael Howard" <mikehow@microsoft.com>
Date: Wed, 1 Sep 2004 16:36:10 
To:"Yvan Boily" <yboily@seccuris.com>, <secprog@securityfocus.org>
Subject: RE: "Selling" a code-audit.

Not calling the developers 'morons' is a good start :)

Seriously, you have to change culture. People have to realize that the
quality of their design, code, tests and documentation is paramount.
Once people accept a culture change like this, everything becomes pretty
easy.

So the next question is how do you change the culture? Simple - you hit
the top brass, this is what we did here at Msft. My group started making
its best progress when we had buy-in from billg and steveb, and the
other senior execs. 

Now it's a no-brainer.

[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[On-line Security Training]
http://mste/training/offerings.asp?TrainingID=53074


-----Original Message-----
From: Yvan Boily [mailto:yboily@seccuris.com] 
Sent: Monday, August 30, 2004 10:45 AM
To: secprog@securityfocus.org
Subject: "Selling" a code-audit.

One of my primary responsibilities with my employer is performing code
audits; so far I have been fairly effective in a technical capacity,
however
on almost every single code audit I have participated in I have received
hostile responses from the development team.  I have tried a variety of
approaches to develop a stronger rapport with the development team,
however
in spite of my best efforts I find that going into a code audit I am
already
fighting against preconceptions about why the code audit is being
performed.


I understand that many people feel threatened when work they have done
is
criticized; what I need to know is how I can minimize this and coax the
development teams into being more interactive than defensive.  Any
pointers?

Yvan Boily
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Shmoocon CFP & registration information, shmooconannounce
Next by Date:  RE: "Selling" a code-audit., Michael Howard
Previous by Thread:  Re: "Selling" a code-audit., Travis Schack
Next by Thread:  RE: "Selling" a code-audit., Michael Howard
Indexes:  [Date] [Thread] [Top] [All Lists]