Re: Writing Secure Code...

From: Michael Silk (michaelsilk_at_gmail.com)
Date: 01/20/05

  • Next message: Chris: "Re: Writing Secure Code..." 
    Date: Thu, 20 Jan 2005 11:23:14 +1100
To: David LeBlanc <dleblanc@exchange.microsoft.com>

    Well, think you can agree that OSS gives access to more people, right?
    I agree with you, however, that having lots of people is not
    neccessarily a good idea. The key is to have it structured as well,
    with reliable people doing it.

    Don't get me wrong, however, I don't think that OSS is the answer to
    writing more secure commercial programs, and I think that a
    combination of both is probably the worst idea :) Basically because
    you introduce an unstructured system into a system that requires
    deadlines ... and that can only be bad :)

    Corporations just need to forget about these quick fixes and train
    their programmers to program _correctly_ (i.e: securely) and _give
    them the time to do it!_. Unfortunately deadlines are a fact of
    corporate life, but even so...

    Anyway, it's all been said before, so ... :)

    -- Michael

    On Wed, 19 Jan 2005 15:16:37 -0800, David LeBlanc
    <dleblanc@exchange.microsoft.com> wrote:
    > I'm not in my office, so this would bounce to the list -
    >
    > I disagree with the theory that OSS yields effectively more people. First, what you want is not just people, but people who understand both security AND the code. If this theory were true, we wouldn't have so many 10 year old OSS bugs. BIND and Sendmail have always been OSS, and they've both got really bad records. We run the internet on these, and if anything should be thoroughly vetted, it should be these. There are other apps that are OSS which have excellent records. As another counter-argument, I think that much of the OpenBSD security gains have come from a small group of programmers, not "many eyes" - it's been from a few very good eyes. Where we (MS) get our biggest gains is basically a 3-prong attack - threat model the design, and fix problems there. Then teach devs how to recognize security problems, and use tools to audit code and root out bad APIs. We then use fuzzers to improve test coverage. We also have groups who are dedicated to just security (that's where I work). The more of this I do, the more I see the need for structure - along with some good old out-of-the-box hacking.
    >
    > I agree completely with your point about the trade-offs between structure and motivation. One advantage we have is that if we tell someone to review a piece of code, it isn't optional. They may or may not do an excellent job, but they _must_ do it. Even this isn't truly a function of OSS or not, it is a function of whether the devs are paid. It's possible (though not common) to have paid devs creating OSS.
    >
    > Everyone I know at MS who programs loves to program. I think that's why we program computers, and that's independent of where we work. I think part of the problem is wrapped up in that - we all like to create new code, not maintain old code. So once the code exists, there is so much more to be done to get it secure that's often tedious and not really programming. Many OSS projects aren't going to be as good at getting the tedium done - if someone is giving you time for free, you tend to be grateful for what you get.
    >
    > Just some thoughts -
    >
    > ________________________________
    >
    > From: Michael Silk [mailto:michaelsilk@gmail.com]
    > Sent: Wed 1/19/2005 2:31 PM
    > To: David LeBlanc
    > Cc: secprog@securityfocus.com
    > Subject: RE: Writing Secure Code...
    >
    > David,
    >
    > Re "Processes in place ..."
    >
    > But thats the point of the discussion, isn't it ?
    >
    > I.e. that with OSS you will, in theory, have more people - more
    > _motivated_ people - looking into the code and reviewing it.
    >
    > The problem is that it will typically be rather un-structured
    > reviewing..., corporations offer more structured ways to review the
    > code with the downside that sometimes the people reviewing don't care
    > about it's security, and corporate policits, etc.
    >
    > The idea that businesses could somehow tap into this motivation by
    > "open sourcing" their applications is a little stupid though, because
    > in the end they are still driven by money, and not love of
    > programming. Money brings deadlines, which means less time for
    > reviews, fixes, etc, hence less secure code.
    >
    > I definately agree with you about developer skill, however. Neither
    > model will be successful if the developers are terrible :)
    >
    > The point is though, I suppose, that if you are motivated programmers
    > in a structured environment (even if it's structured to be relaxed...)
    > then you'll end up with better programs. It seems, however, that pure
    > motivation seems to beat out pure structure.
    >
    > -- Michael
    >
    > > -----Original Message-----
    > > From: David LeBlanc [mailto:dleblanc@exchange.microsoft.com]
    > > Sent: Wednesday, 19 January 2005 11:45 AM
    > > To: Sigmon Cheri Y Civ 82 CSS/SCPD :: Software Dev;
    > > secprog@securityfocus.com
    > > Subject: RE: Writing Secure Code...
    > >
    > > I think the most secure apps are written by the people who
    > > have the best developers. That's my short answer. As an
    > > illustration, consider DNS servers. Which is more secure,
    > > BIND, or Daniel Bernstein's DNS? They're both OSS, and I
    > > think we'd all agree that BIND has a terrible record, and
    > > DJB's has a very good record. Now consider Microsoft's DNS -
    > > it's also had a very good security record, with very, very
    > > few bulletins over the years. So which is the better
    > > predictor of security? Business model, or developer skill? I
    > > think it is developer skill.
    > >
    > > One thing to add is that security isn't just developer skill.
    > > It is design, testing, and the processes put into place to
    > > verify whether the developer and designers made security
    > > mistakes or not. These practices are also orthogonal to
    > > business model. Having people poking at your software,
    > > whether it is by reading the source or by reading the binary,
    > > can be helpful in finding problems, but I think it is overall
    > > less helpful than having proper processes in place to improve
    > > security at every stage and phase of the development process,
    > > from design to implementation to testing. So the better
    > > question to ask is what processes are in place for a given
    > > solution to ensure security, not whether it is based on OSS
    > > or proprietary software.
    > >
    > > I know this tends to be a hot-button topic, so please
    > > redirect flames to /dev/null. This should go without saying,
    > > but this is my personal opinion and may or may not align with
    > > my employer's opinion and in no way should be construed as an
    > > official statement on behalf of my employer.
    > >
    > > -----Original Message-----
    > > From: Sigmon Cheri Y Civ 82 CSS/SCPD :: Software Dev
    > > [mailto:Cheri.Sigmon@langley.af.mil]
    > > Sent: Tuesday, January 18, 2005 11:32 AM
    > > To: 'secprog@securityfocus.com'
    > > Subject: Writing Secure Code...
    > >
    > > Hi, Everyone...
    > >
    > > Happy New Year! I've been lurking for awhile... time to
    > > "decloak" in '05.
    > >
    > > Item: The "ongoing" debate among choices of open source vs.
    > > proprietary (all
    > > companies') solutions, not just the major players in the industry.
    > >
    > > I'm certain you've seen similar situations... where there are
    > > groups of people who are very opinionated one way or the
    > > other. My concern is the best
    > > solution(s) security-wise, regardless of the source. Any comments?
    > > From a broad-brush perspective?
    > >
    > > [snip]
    >
    >
    >

  • Next message: Chris: "Re: Writing Secure Code..."