"Michael Howard" <mikehow@microsoft.com> wrote:
> My group started making its best progress when we had
> buy-in from billg and steveb, and the other senior execs.
> Now it's a no-brainer.
Michael,
A true cultural change would include realization that bugs in code are a
given before the code is even written, so a secure culture would never
allow code to be written in the first place unless the code is truly
important.
Then, instead of rushing to ship the code (remember Microsoft's motto in
the Netscape wars 'he who ships first, wins') the company with proper
security culture would second guess itself and remove half the code and
reduce the features and turn everything off by default and be absolutely
certain that the code that does ship does not expose, by default, any
attack surface.
How can a culture that first and foremost revolves around writing and
shipping code and features that execute on every box, whether or not the
box owner benefits by the execution of said code and whether or not the
presence of said features is valuable or just a big liability that costs
money to curtail, adopt simultaneously (for anything other than PR) the
exact opposite culture demanded by security?
Sincerely interested in your reply.
(...Hoping to learn something)
Jason Coombs
Director of Forensic Services
PivX Solutions, Inc.
http://www.PivX.com/forensics/
-----Original Message-----
From: "Michael Howard" <mikehow@microsoft.com>
Date: Wed, 1 Sep 2004 16:36:10
To:"Yvan Boily" <yboily@seccuris.com>, <secprog@securityfocus.org>
Subject: RE: "Selling" a code-audit.
Not calling the developers 'morons' is a good start
Seriously, you have to change culture. People have to realize that the
quality of their design, code, tests and documentation is paramount.
Once people accept a culture change like this, everything becomes pretty
easy.
So the next question is how do you change the culture? Simple - you hit
the top brass, this is what we did here at Msft. My group started making
its best progress when we had buy-in from billg and steveb, and the
other senior execs.
Now it's a no-brainer.
[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[On-line Security Training]
http://mste/training/offerings.asp?TrainingID=53074
-----Original Message-----
From: Yvan Boily [mailto:yboily@seccuris.com]
Sent: Monday, August 30, 2004 10:45 AM
To: secprog@securityfocus.org
Subject: "Selling" a code-audit.
One of my primary responsibilities with my employer is performing code
audits; so far I have been fairly effective in a technical capacity,
however
on almost every single code audit I have participated in I have received
hostile responses from the development team. I have tried a variety of
approaches to develop a stronger rapport with the development team,
however
in spite of my best efforts I find that going into a code audit I am
already
fighting against preconceptions about why the code audit is being
performed.
I understand that many people feel threatened when work they have done
is
criticized; what I need to know is how I can minimize this and coax the
development teams into being more interactive than defensive. Any
pointers?
Yvan Boily
