Latest news
Reactions from the security community to the Trustworthy Computing Initiative
Posted on 13 January 2012.
This week, Microsoft is celebrating 10 years of its Trustworthy Computing Initiative (TwC). One of the most well-known outcomes of Trustworthy Computing is the Microsoft Security Development Lifecycle (SDL), which also incorporates privacy development practices. Many companies, including Adobe and Cisco, have adopted security development lifecycles modeled after Microsoft’s SDL.
Below are comments on the Trustworthy Computing Initiative that Help Net Security received from industry veterans.
Wolfgang Kandek, CTO for Qualys
Bill Gates' now 10 year old memo to Microsoft's employees was an eye-opening moment for me. When I first read it, I found myself intuitively agreeing to many of the underlying assumptions: strong growth of computers, but also their unstopping insertion into the personal lives of billions of individuals and the importance of trusting their integrity and function in both areas. In the 10 years following, the industry has come a long way and we have reached many important achievements.
Microsoft has played a key part - even serving as a great role model for other software vendors - by integrating security into its development process and openly sharing security information with the public, including its own competitors.
But Gates was overly optimistic as to the impact that we would be able to achieve. The Internet user base has now reached 30% of the world-wide population and security woes have not become any smaller by any measure.
While new PC software is much safer than its predecessors, we continue to deal with older software stragglers and are overwhelmed by the amount of new devices that are connected to the Internet at any moment, now including our phones, media players, critical infrastructure, houses with smart meters, and even our cars.
The example of the TwC makes me optimistic that we can find solutions for these challenges and that security will be an integral part of new technologies in the next 10 years.
Kurt Baumgartner, senior security researcher, Kaspersky Lab
Microsoft's massive customer base has benefited from the security efforts put forward by the company in improving the security of their products and process. The newest defensive capabilities in Windows 7 and the reduction in attack surface of Windows 2008 are examples of this trend.
At the same time, its past mistakes and late prioritization of security left those same customers with headaches for years - as an example, the relatively insecure IE6 install base just fell under 1% in the US 10 years after its launch and Microsoft is working hard to kill it.
The progress made from IE6 to IE9 in better securing their browser is somewhat unbelievable. But corporate and government customers have a nasty habit of hanging on and using the oldest versions of software until the systems truly cannot function.
Additionally, exploitation of their software has shifted from stack overflows to memory corruption issues more complicated to root out, like heap corruption, kernel overflows, elevation of privilege bugs, and use-after-free vulnerabilities.
Also shifting is the focus of directly attacking the Microsoft platform itself to targeting the stuff that runs on the platform. Lower hanging fruit in ubiquitous Adobe, Java and other third party software are readily attacked on the desktop, and web application errors abound. Microsoft has improved their side of the game, but volume, complexity of code, and the attraction to push features will continue to burden their software development and implementation.
Marcus Carey, security researcher at Rapid7
I think Microsoft should be congratulated for reaching this milestone. Ten years ago Microsoft was a laughing stalk in information security circles so it's to its credit that it has successfully transformed itself into a great example of how to build product security into the processes of a software company.
Microsoft makes it clear that in the immediate future it is focusing on cloud computing, mobile devices and applications, advanced persistent threats (APT), big data, the role of government in IT, and availability issues. Interestingly, Microsoft uses a different term for APT - Targeted Attacks & Persistent Adversaries - recognizing that all attacks aren't advanced, but they are targeted with precision.
Organizations should take note of this because Microsoft is laying out what it believes to be the significant security challenges going forward.
Below are comments on the Trustworthy Computing Initiative that Help Net Security received from industry veterans.
Wolfgang Kandek, CTO for QualysBill Gates' now 10 year old memo to Microsoft's employees was an eye-opening moment for me. When I first read it, I found myself intuitively agreeing to many of the underlying assumptions: strong growth of computers, but also their unstopping insertion into the personal lives of billions of individuals and the importance of trusting their integrity and function in both areas. In the 10 years following, the industry has come a long way and we have reached many important achievements.
Microsoft has played a key part - even serving as a great role model for other software vendors - by integrating security into its development process and openly sharing security information with the public, including its own competitors.
But Gates was overly optimistic as to the impact that we would be able to achieve. The Internet user base has now reached 30% of the world-wide population and security woes have not become any smaller by any measure.
While new PC software is much safer than its predecessors, we continue to deal with older software stragglers and are overwhelmed by the amount of new devices that are connected to the Internet at any moment, now including our phones, media players, critical infrastructure, houses with smart meters, and even our cars.
The example of the TwC makes me optimistic that we can find solutions for these challenges and that security will be an integral part of new technologies in the next 10 years.
Kurt Baumgartner, senior security researcher, Kaspersky LabMicrosoft's massive customer base has benefited from the security efforts put forward by the company in improving the security of their products and process. The newest defensive capabilities in Windows 7 and the reduction in attack surface of Windows 2008 are examples of this trend.
At the same time, its past mistakes and late prioritization of security left those same customers with headaches for years - as an example, the relatively insecure IE6 install base just fell under 1% in the US 10 years after its launch and Microsoft is working hard to kill it.
The progress made from IE6 to IE9 in better securing their browser is somewhat unbelievable. But corporate and government customers have a nasty habit of hanging on and using the oldest versions of software until the systems truly cannot function.
Additionally, exploitation of their software has shifted from stack overflows to memory corruption issues more complicated to root out, like heap corruption, kernel overflows, elevation of privilege bugs, and use-after-free vulnerabilities.
Also shifting is the focus of directly attacking the Microsoft platform itself to targeting the stuff that runs on the platform. Lower hanging fruit in ubiquitous Adobe, Java and other third party software are readily attacked on the desktop, and web application errors abound. Microsoft has improved their side of the game, but volume, complexity of code, and the attraction to push features will continue to burden their software development and implementation.
Marcus Carey, security researcher at Rapid7I think Microsoft should be congratulated for reaching this milestone. Ten years ago Microsoft was a laughing stalk in information security circles so it's to its credit that it has successfully transformed itself into a great example of how to build product security into the processes of a software company.
Microsoft makes it clear that in the immediate future it is focusing on cloud computing, mobile devices and applications, advanced persistent threats (APT), big data, the role of government in IT, and availability issues. Interestingly, Microsoft uses a different term for APT - Targeted Attacks & Persistent Adversaries - recognizing that all attacks aren't advanced, but they are targeted with precision.
Organizations should take note of this because Microsoft is laying out what it believes to be the significant security challenges going forward.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
