Interesting article considering my post last night. http://www.internetnews.com/security/article.php/3667201
It is especially interesting that Sun Solaris was rated lowest in the security review in this article and all Sun did was try to find fault with the study. Sun has traditionally been very proud of the security in Solaris, it seems that pride is waning. (Maybe that is because the CEO is more interested in being able to blog for SEC reports than putting out good products...) Sorry for the anti-sun retoric lately...
Thursday, March 22, 2007
Wednesday, March 21, 2007
Security
I've been reading the book Writing Secure Code by Michael Howard and David LeBlanc (both I believe from Microsoft). Today I was able to spend my morning in a MS training course taught by Michael Howard, I think it was titled Security Basics or something like that. It is apparently a required course for all technical positions at MS. It was actually pretty good, and exposed me to a lot of the security world that I had not been involved in previously. I know a lot of my past co-workers when they hear me talk about Security at Microsoft, I too had the same impression of MS as being at the bottom of the security barrel. But one thing that I am realizing after 6 weeks of working here is that the years of pain and issues that MS has endured over security have woken them up to this issue and it is one that they are taking very seriously now. There seems to be an air of importance around the whole issue, one that flatly did not exist at Sun when I was working there. Sun has a much better reputation in this area, but I have always wondered if it wasn't more that they have not been as much of a target as MS has historically been. Being a target likely makes it so that more vulnerabilities are discovered than in products not being targeted, but hopefully eventually leads to more secure products (which it seems may be happening). One has to wonder if other products are really more secure or the vulerabilities just have not yet been exposed. I don't know...
Anyhow, this book (Writing Secure Code) follows a well defined process, the MS Security Development Lifecycle, and layes out a lot of fundamental steps to analyzing security for products. These are things that I wish I had known on some of my past projects, but just did not have the information. It goes through designing secure software, threat modelling, secure coding guidelines, minimizing attack surface, and testing techniques (like fuzz testing, penetration testing, etc.). The book then dives deeply into code looking into common, well known issues like buffer overruns, ACL's, least privilege, handling input data and a lot more. One interesting thing that we got in the course was to look at the code from Windows and other MS products that were the cause of many of the most well known security vulnerabilities like different worms as other such things. All in all, the book is a fantastic guide that I should have read years ago, and one that I highly recommend to anyone involved in software.
Anyhow, this book (Writing Secure Code) follows a well defined process, the MS Security Development Lifecycle, and layes out a lot of fundamental steps to analyzing security for products. These are things that I wish I had known on some of my past projects, but just did not have the information. It goes through designing secure software, threat modelling, secure coding guidelines, minimizing attack surface, and testing techniques (like fuzz testing, penetration testing, etc.). The book then dives deeply into code looking into common, well known issues like buffer overruns, ACL's, least privilege, handling input data and a lot more. One interesting thing that we got in the course was to look at the code from Windows and other MS products that were the cause of many of the most well known security vulnerabilities like different worms as other such things. All in all, the book is a fantastic guide that I should have read years ago, and one that I highly recommend to anyone involved in software.
Monday, March 05, 2007
New Wheels
Well it was bound to happen, my long time friend finally died last week. My Subaru legacy kicked the bucket at almost 250,000 miles. I could probably get it fixed, but it just isn't worth it anymore so I've decided to make a bit of a change. So this weekend I went out and picked myself up a new set of wheels. That's right, I'll be commuting on my bike for awhile. It's something I've done on a very infrequent basis, but have always wanted to do more often. So I figured this was the perfect opportunity to force myself to begin a regular bicycle commuting program for myself. I am not going to get a new car for a few months to get myself used to the ride in. Right now my ride is about 6 miles and takes me about 30 minutes (yes I'm a bit out of biking shape). Microsoft has a nice locker room with showers and lockers so that works out well. I have a full set of rain gear so I should stay nice and dry even in the wet Seattle weather.
Subscribe to:
Posts (Atom)