This past OWASP App Sec conference was the second in a row where folsk from Microsoft gave an overview about what they are doing wrt software security, and the response from the open source folks was both times more or less "hey we aren't as big as Microsoft, how do you expect us to do all this stuff?" I think this response is pretty weak, after all, open source systems have over the years certainly given Microsoft a run for its money in reliability, scalability and security. Now that Microsoft has turned its own flywheel and by all appearances made some radical moves forward, shouldn't the open source people do the same? I have several friends who write security-focused open source software that is in wide use, and a common complaint of theirs is that it is hard to get people interested in contributing to security projects. Perhaps security is not as interesting to people as other things.
Hey guys, whatever happened to given enough eyes all bugs are shallow? Maybe we can rephrase this to "given enough motivated, security-clueful eyes, all bugs are shallow." Anyhow, let's roll the tape:
It started last spring Belgium. Johan Peeters moderated a panel on "Should companies be emulating Microsoft’s Security Development Lifecycle?" Johan intro:
Microsoft is a company we love to hate. In particular, the security of Microsoft products has been the target of fierce criticism. However, in the last few years, Microsoft has made a concerted effort to improve the security of their products. The Windows Security Push was launched in 2002 in the run up to the release of Windows Server 2003. At that time, the seeds of the Security Development Lifecycle (SDL) were sown. This process has since been refined by many more security pushes.
There is a lively debate on Johan's blog entry about all of this. The net result at the conference was that the open source proponents deemed that the things the Microsoft SDL proposes like Threat Modeling and fuzzing are too hard and time consuming for open source developers. I am sure that there are line managers at software vendors like Microsoft who would say the same thing, but there seems to be near universal rejection of this from open source.
Deming: "It is not necessary to change. Survival is not mandatory."
The simple fact is that the threat environment that Microsoft software faces in the field are the same threats that open source software does. The only question is: how do you engineer your software to be resilient? Last week Michael Howard made a number of interesting points in his presentation, "How the SDL Improved Windows Vista". He discussed findings bugs as early as possible being the best bang for the security buck. He also notes that Microsoft has a number of central analysis team including a central fuzzing team for fuzzing file formats, network protocols, etc.
Regarding threat analysis, the trick I have used in the field and is consistent with Microsoft's findings is to avoid having people create attack trees on their own and instead use threat model patterns that they can plug in. He goes on to make the point that because security is human vs human you can never be done. It would seem that some folks in open source would like to say "hey we were better than Microsoft at security in 1999, so we are still better." Microsoft has executed an OODA loop or two since then, here is hoping that open source executes one soon.
The last part of the talk concerned how these security improvements manifest themselves in Vista.
X64 systems can leverage PAtchGuard which only loads signed code into the kernel. This sounds very similar to a test that Brian Snow referred to where NSA ran test by enforcing digital signature checks on all calls to critical kernel modules. Using a Solaris system this resulted in only single digit percentage performance impacts. That is a nice defense. Where is the uptake of this in open source or Unix in general for that matter?
IE7 runs as a low integrity process, Microsoft said they are working with Firefox to get Firefox to run as a low integrity process as well. This is designed to limit damage to other system components that run as medium integrity so an attacker should not be able to write up to those medium integrity processes. Again, something that Firefox sorely needs. Granted they needed the constructs that Vista provides to do this, so they are not necessarily behind in this case.
This slide summarizes protections against a variety of exploits across systems:
So we have seen that Microsoft has taken steps to protect its users, we have seen some uptake in open source and of course you are always free to take matters into your own hands with open source, but we have not seen the groundswell of defense in depth mechanisms coming out of Redmond. Where does this leave commercial Unix vendors like Sun, IBM, and Apple? One thing I would say to them is, if they can see past religion, they have a great model to begin their security journey.
Update: Matasano adds some interesting related info. Reading the comments, you can see that it is still hard for people to see past religion
Comments