Implementation vs. Design Defects

I got a comment to my last post that’s worth following up on: Can you comment on what percentage of defects you all are finding are implementation vs. design defects? Its pretty clear that older code that doesn’t have buffer overflows isn’t going to all of a sudden have one.  At the same time older…

1

Securing Existing Code

Just read Michael Howard’s post about differentiating secure features, security features and security response, found at http://blogs.msdn.com/sdl/archive/2007/12/17/security-is-not-all-about-security-updates.aspx, and wanted to offer some counterpoints. Overall, I’m in strong agreement with what he has to say – just because we’re still shipping bulletins and updates doesn’t mean we’re not making forward progress. For one thing, those of…

4

How to cause a regression

This one isn’t really security related, except that we security people often want to get rid of old stuff because it’s sometimes easier to disable it than to make it really robust. If only a few people use it, good attack surface reduction practices tell us that it should be off by default, maybe an…

2

More on Sandboxing – Network Implications

Larry Osterman’s post (er, rant) (found here – http://blogs.msdn.com/larryosterman/archive/2007/11/02/chris-pirillo-s-annoyed-by-the-windows-firewall-prompt.aspx) about someone’s gripe with Firefox and the firewall caused me to remember to add to the discussion. Larry claims: “IMHO outbound firewalls are 100% security theater[1][2]. They provide absolutely no value to customers. This has been shown time and time again…” I’m familiar with this argument,…

1

Writing Secure Code 3

It seems like every time I’ve gone out in public recently, I’ve been asked when we were going to update Writing Secure Code 2. I’ve been seeing comments about it along the lines of “Good, but dated.” Ouch. It has been a while – we published WSC2 in 2002, and if you read my last…

1

Checking Password Complexity

Michael put some sample code into WSC2 that showed people how to check passwords using the NetValidatePasswordPolicy API. It’s a very flexible API, and it’s meant to handle situations where an app maintains its own password database, like SQL Server. However, you can use it to check whether a password for some other use complies…

2

Safebool

My last post triggered a couple of responses and a URL I thought would be good to not get lost in the comments. Check out http://www.artima.com/cppsource/safebool.html. As I was saying a couple of posts ago, the right tool is usually situational. In my case, things like SafeInt<int>(2) << 3, and int I = SafeInt<unsigned long>(SomeFunc())…

1

C++ operator overloading trivia

Learned something interesting this week that I’ll be working into SafeInt 3. It all started out because if you declare a SafeInt class instance, and then try to use it as an array index, the compiler can’t figure out which of the several available integer casts to use for the index. According to the language,…

3

On the Other Hand…

In my previous post on threat models, I pointed out situations where TM’s are either a complete waste of time, or maybe we’ve got bigger problems than design issues. To add a little balance and reinforce one of the points I was trying to make, let’s look at another situation where the TM was really…

2

Blog Comment Spam is Really, Really, Really Annoying

I keep getting spam from some bunch of (expletives deleted) as comments to the blog. It’s all: Nice. Interesting. Cool! With some bogus URL they’re trying to get people to click on, from weird psuedo-Greek names mostly ending in ‘os’. They end up in my possible spam folder, and I delete them all, but I…

2