Insecurity Training

I spent most of the day yesterday in a conference room with about a thousand other co-workers of mine.  I know them all personally. You should have seen the size of the table!  But seriously, it was a mandatory training session for the likes of us unruly code slingers.  Microsoft is serious about security.  I’m not cheerleading here.  I’m not trying to convince you of anything.  The powers-that-be have raised the focus on security to a level of utter annoyance; security reviews, threat analysis, tools that discover, tools that defend.  Now they even want to rate us on whether we adhere to these ‘rules’ or not; no more flagrant use of strcpy; no more cryptic pointer arithmetic; no more fixed sized buffers sitting innocently on the stack;  no more XOR encryption.  It’s gotten to the point where I don’t know if I can code anymore.  Between security concerns and the paralyzing fear that just about every common practice is now buried in some gold-digger’s patent portfolio, I don’t know if there is a safe line of code to write; seriously. 

 

We’d be better off just compiling large libraries of last-known-safe algorithms.  Then if we needed to build something we could just cut-and-paste these suckers into our editor.  We would never actually be ‘writing’ code anymore.  We’d be ‘orchestrating’ code.  I can see it now, the operating system of the future comes complete with a vast library of API’s that are deemed safe and covered by licensing that allow you free use of such things as:  assignment, arithmetic, comparison, and if you buy the enterprise edition you even get the ‘branch’ instruction.  The compilers of tomorrow would only compile to these calls, they would not generate any other processor instructions, because those would all be patented by someone or proven a threat to security.

 

But I digress

 

Matt