The First Step on the Road to More Secure Software is admitting you have a Problem


I just wrote an article over on the SDL blog about my observations from the industry to Jeff Jones’ vulnerability analysis and the lack of security progress by our competitors.

Comments (9)

  1. Bernard Lim says:

    Indeed, sometimes honesty is the best policy. You got to admit there is a problem and step up to fix it!

  2. Peter Gutmann says:

    >So if Windows Vista has more code than Windows XP SP2,

    >why are we seeing a reduction in vulnerabilities? Simple: the SDL!

    I think a much bigger reason for this is the same reason why OSes like OS X are "more secure" than Windows XP: the market share is small enough (compared to XP) that the commercially-motivated malware industry doesn’t bother targeting it because the ROI is far better when you target the market leader.  I agree with the rest of the blog post, but I don’t think the SDL is the primary reason for the reduction in vulnerabilities in Vista (although I’m sure it helped).

    The reductio ad absurdum case for this argument is something like BeOS: when was the last time you had a security advisory for that?

  3. michael_HOWARD says:

    Hi Peter

    I totally disagree! vuln count and bad guys targetting an OS are two utterly different topics. I’m talking about not requiring security updates/patches/errata because we did much more security engineering up front in Vista because of the SDL.

  4. stacy says:

    Michael, your saying that nobody has found the vulnerabilities because they don’t exist; Peter is saying that nobody has found them because nobody is motivated to look for them. Sorry, but I tend to agree with Peter.

    I am glad that Microsoft’s security initiatives where not marketing hype and I do appreciate the information shared on the SDL blog (stories from the trenches are always informative) but I’m afraid I need more evidence before I can conclude that Vista has 50% less vulnerabilities than XP.

  5. michael_HOWARD says:

    Stacy – Of course people are motivated to find bugs in Vista – they want to prove we failed! Many of the people finding bugs in our products don’t want to attack users!

    Here’s another data point (it’s in the blog) we’re seeing this trend across all products, such as IIS, Office, SQL Server etc etc.

    Over to you!

  6. Peter Gutmann says:

    >Of course people are motivated to find bugs in Vista – they want to prove we

    >failed!

    Today, only a small number of them are motived by this (it was more the case 5-10 years ago).  Most want to sell the exploits on the black market or build them into toolkits (which they’ll also sell), and for those the larger the potential market is the more motivation they have to find problems.  It’s simple economics, they go where the money is.

    >Many of the people finding bugs in our products don’t want to attack users!

    Do you have any figures for commercial vs. "just to show we can" exploiters? (That’s a rhetorical question, I don’t think anyone knows how big the underground economy really is, but with remote 0days going for $50K or more I would imagine there’s a lot more activity going on there than in the non-commercial arena).  There are some proof-of-concepts that are done non-commercially, but most of the serious work (and in particular anything that goes beyond the basic proof-of-concept) seems to be commercial.  The scary thing is that there’s a lot of 0day out there that may never be discovered because it’s so commercially valuable that the "owners" are keeping it under wraps as much as they can.

    (Actually one way to check this would be to get the stats from something like a Neosploit server, which records OS details and success/failure of exploits, and see how many XP vs. Vista machines they’ve successfully compromised.  From memory version 1 of Neosploit didn’t even bother checking for Vista, maybe the current versions (1.5 and 2) do).

  7. Following on from my recent post about Windows Vista security and the SDL, a number of people have indicated

  8. Following on from my recent post about Windows Vista security and the SDL, a number of people have indicated