Michael Howard kicked off Day Two of MTS07 talking about security. He talked about the SDL, Microsoft’s process to ensure their products are reasonably secure. SDL isn’t a new process — they didn’t have the luxury of re-inventing their software manufacturing process — its a serious of tweaks to their existing process to make products more secure. He said a few interesting things:
“If SDL didn’t work, Bill Gates would kill it in a heartbeat.”
“Everything in the SDL is there for a really good reason.”
“Within 60 days of joining a product group, you have to go to security training.” If you came from academia, from government, from anywhere, we assume you know squat about security, and its a safe assumption. “The scariest person is someone who knows nothing about security, but thinks they do.”
Michael’s group offers a number of courses. They have a basic course that everyone has to attend on a regular basis and some advanced courses which cover specific security areas. I asked if I could attend his courses. He said, “If you sign an NDA like any other Microsoft employee, I would be happy to have you attend the courses.” He also mentioned that the basic security course has been videotaped and is included with the SDL book he’s selling.
“I spent a good 50% of my time on analyzing attack surface areas.” Thread modeling is the other very important aspect to security. Its all about finding design issues. Everyone must create threat models at Microsoft. Two Vista features were crushed because their threat models indicated that attackers would use the features more than legitimate users. If I had to chose one thing to implement security, I’d do thread modeling.
“Some people say the industry would get better once we get better tools. I say ‘No, the industry will get better when we stop letting monkeys write code.'”
“There is no replacement whatsoever for good engineering practices.”
Much of Michael’s talk is convincing us that Microsoft takes security serious and is doing a good job of creating secure software by relaying a bunch of anecdotes and telling us things like, “When an API has 3 or more bugs, we shoot it in the head and enforce that it can’t be used by analyzing the code on check-in” and “VML had a bug in Vista that could have been exploited, but you can’t actually exploit it, because our compiler detects the exploit and returns null when the affected function is invoked.”
[I saw he had “Head home” as a reminder on his calendar, and amidst a bunch of laughter he admitted he has to scheduling eating and going home on his calendar because he is so focused and enthused by his job.]
He also showed a Gartner quote as of Feb. ’06 that Microsoft is leading the industry in the area of security best practices.
He mentioned that they have started working with a number of companies to improve industry security practices, but because we’re not under NDA, he can’t tell us about those relationships — except that they have worked with Adobe.
Q: What are the security differences between 64-bit and 32-bit Vista?
A lot of the defenses we’ve added to 64-bit are on by default. Also, the return address isn’t put on the stack in 64-bit, so you can’t override it. Those are the big ones from my perspective. Plus, a lot of the legacy support is off in 64-bit. One of the biggest predictors of security problems for us by the way is the age of the code.