I just got notice that this was accidentally dropped by secprog - hence
the resend.
[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[On-line Security Training]
http://mste/training/offerings.asp?TrainingID=53074
-----Original Message-----
From: Michael Howard
Sent: Sunday, September 12, 2004 8:50 PM
To: Adam Shostack
Cc: Yvan Boily; secprog@securityfocus.org
Subject: RE: "Selling" a code-audit.
Many things happened; CodeRed, Nimda, Writing Secure Code was released
(seriously, it had a huge effect on the company, that's why the 2nd Ed
came out so quickly) and the Developer Division Security work all added
up to what I often refer to as "the planets aligning!"
-----Original Message-----
From: Adam Shostack [mailto:adam@homeport.org]
Sent: Sunday, September 05, 2004 7:29 AM
To: Michael Howard
Cc: Yvan Boily; secprog@securityfocus.org
Subject: Re: "Selling" a code-audit.
On Wed, Sep 01, 2004 at 04:36:10PM -0700, Michael Howard wrote:
| Not calling the developers 'morons' is a good start :)
This is true, but maybe comparing them to MS developers would be.
If you live in a MS-centric world: "Microsoft stopped shipping
unreviewed code. Don't we want to be like them?"
If you live in a *NIX-centric world: "Even Microsoft does code
reviews!"
| Seriously, you have to change culture. People have to realize that the
| quality of their design, code, tests and documentation is paramount.
| Once people accept a culture change like this, everything becomes
pretty
| easy.
|
| So the next question is how do you change the culture? Simple - you
hit
| the top brass, this is what we did here at Msft. My group started
making
| its best progress when we had buy-in from billg and steveb, and the
| other senior execs.
I think that there were a confluence of things that led Bill to his
support for you. If a company doesn't have those things (and I'd love
to hear what the ones that made a difference in Microsoft's decisions
were), then you need other cultural drivers.
This could be selling a leading or respected group on reviews. It
could be measuring bugs found before/after ship, and seeing how much
time is saved, and how much happier customers are, if they don't have
to patch.
It might also be helpful to use objective standards. Something like
RATS or Splint has issues, but its also objective. No one can claim
that RATS is treating them unfairly. It also allows you to focus
reviews on things like RNGs, design compliance, etc.
Going back to my comparison theme, it may help to point out Kerberos,
or OpenSSL's history of security issues. the context is that all code
has issues sometimes, and your shared goal is fewer shipped bugs.
Adam
