Counting Fish in a Lake

  • Article

The question "How secure is any product?" is a similar question to "how many bugs does an application have?" As my software engineering professor liked to say in grad school, "trying to count bugs in an application is like trying to count fish in a lake." How do you know whether you missed a fish or not?

 

Actually counting the number of fish in a lake would require a careful and meticulous process to minimize missing any fish. Finding bugs in general, and finding security bugs in particular, would also require a careful and meticulous process. Michael Howard has a new article in MSDN magazine that covers the lessons we at Microsoft have learned while building more secure code over the past five years.

 

Some of those lessons?

  1. Design flaws are just as important to building secure products as coding flaws
  2. Scour your oldest code first--old code is far more likely to have security flaws than new code
  3. Keep a close eye on old features--just like old code, old features that were great a few years ago may be big security flaws now.

Microsoft has turned these lessons into the Security Development Lifecycle--a process for writing secure code that plugs into any development methodology.

 

OK, no snickering:-) We really do invest a lot of effort into security across the product development lifecycle. Check out this post from a security researcher who goes by the name Halvar Flake. He called Vista "arguably the most secure closed-source OS available on the market" in a blog post about BlueHat.

 

He is right about not becoming complacent. Counting fish in a lake is not an easy task that could be done well unless done diligently. Given the amount of resources Microsoft devotes to security and the prioritization it receives over other features, I cannot see us ever becoming complacent. BTW, here’s a link if you are not familiar with the BlueHat conference:

https://www.infoworld.com/article/07/05/10/microsoft-invites-hackers-back_1.html

 

The sub-title for the article at the link above says it all: “[The BlueHat]Conference gives the security community a chance to show the software giant where it's gone wrong

What do you think about Microsoft’s security efforts? What can we do better?

 

Thanks
-Rob Cameron

10/31/2007 - Minor text edits