Microsoft To Teach Undergrads About Secure Computing

gcondon writes "The Register is reporting that Microsoft is teaming up with the University of Leeds to teach students how to write secure code. Given the sheer number of programming errors that can lead to security vulnerabilities, it probably makes sense to learn from the company that has tried them all." UndercoverBrotha points out that University of Leeds is one of several venues: "Microsoft is planning to offer 11-week courses at Universities around the world."

Update: 03/24 18:00 GMT by J : Another report worth reading is Writing Software Right, which requires a free but annoying registration at Technology Review. This regards automated methods of finding software errors (not security specifically). Sun's "Jackpot" is discussed, a lint that also "identifies general instances of good or bad programming."

And Microsoft's efforts in this field are explained as well -- the company "paid more than $60 million in 1999 to acquire Intrinsa, maker of a bug-finding tool called Prefix. The program, which sifts through huge swaths of code searching for patterns that match a defined list of common semantic errors, helped find thousands of mistakes in Windows and other Microsoft products." As a Microsoft QA person says, "Our challenge is to get our software to the point that people expect it to work instead of expecting it to fail."

Writing Secure Code

[xswl0931]

MSPress actually has a really good book available called "Writing Secure Code". All it takes is a few bad devs to create a reputation for the whole company.

This must be a joke!

[Eudial]

Geez! They'd be the last persons i'd put in that position!

I mean, stuff like;
The IIS hole,
Outlook express,
The recent SQL worm,
Windows 9x's login etc.


There are friggin fishingnets who are more waterproof then microsofts code!

Re:There's insight in the humor.

[arkanes]

Microsoft Press publishes one of the best books I've ever seen on writing secure code (called, suprisingly, Writing Secure Code, ISBN 0-7356-1588-8). It's written by 2 MS engineers. I'd say there certainly are people at MS who're very qualified to talk about security, and, hopefully, those will be the ones teaching the seminars.

The book talks a great deal about how having secure code is more than just the writing, especially in a corporate environment where you need to enforce standards on multiple programmers and have to deal with the pressures from marketing, etc. I think that, more than incompotent programmers, is what leads to the issues we see at MS.

Not Just Security

[spring]

Microsoft has a huge push going on in education. Campus reps, steep tool discounts, and curriculum suggestions to get Microsoft technology into undergrad and grad school course materials. Ask any CS professor what kind of contact they've had with Microsoft reps.

Java and Linux have become very large forces in education. Java has very nearly become the de facto teaching language, and Linux has become a popular instruction platform. Microsoft is trying very hard to counter this motion with C# and the .Net runtime.

Re:Software Verification Is hard..

[Iorek]

Agreed. FYI, semiformal and formal design specifications come in at the higher assurance levels of the Common Criteria. Semiformal refers to something written in a restricted syntax language (could be natural language) and, as you said, formal uses notation based on mathematical concepts.

EAL5 requires a semiformal functional specification and high-level design (along with other development evidence). A semiformal low-level design is required at EAL6 and formal specifications are required at EAL7.

Re:There's insight in the humor.

[jc42]

In situations like these, the actual facts play only a modest role in shaping public opinion,

True, but public opinion has relatively little to do with whether your computers are secure or not. If it did, then nobody would bother with engineering approaches to security; they'd just set aside a large PR budget to create the public perception of security, and that would make their software secure.

The main irony here is the old observation by many security people: If you want computer security, you never, ever allow any software to be run unless you have all the source and you've compiled it yourself. Otherwise, you have no idea what may have been hidden inside that binary by the people who sold it to you.

It would be interesting to see whether Microsoft's teachers bring out this rule. Will they even mention the topic? If so, will they teach the course the second time?

Granted, this isn't nearly the whole story. You must not just have the source. You must also have competent, trustworthy people on your staff who have the time to thoroughly take the software apart and understand it all. And even then, Ken Thompson's famous paper shows how subtle the problems can be.

Still, as a baseline argument, any such course on computer security should start with the observation that if you allow binary software to be installed, you are utterly defenseless against the people who compiled and packaged it for you. This is really the main thing that needs to be said about security and Microsoft.

Another Marketing Ploy?

[Yuan-Lung]

From my personal experience, these MS sponsored/related workshops/courses, are more like perverted advertisements trying to pressure students into using MS products rathar then then actual informative educational sessions.

I had to take a couple MS Windows network administration courses back in colledge because they were requirement for the program. We had to memorize stupid phrases like "MS Windows network is the best choice because it's userfriendly, easy to set up, and secure" for the exams.... It just makes me sick to stomache.

Re:This just in:

[targo]

dare we suggest that microsoft start this initiative with its employees first?

This has already happened. Remember when Windows development was halted for a month to find and fix security issues last February? At the same time, all technical people at Microsoft had to go through a special security training. It was based on Writing Secure Code by some MS insiders, a real good book in fact.
I would think the particular course mentioned in the article would also feature this book.

Re:depressing

[m_pll]

Out of this will come lots of students thinking about security the Microsoft way. They'll believe that more security features (ACLs, etc.) in a system make it more secure.

Why do you think so? The following is a quote from a MS Press book ("Writing Secure Code"):

Security principles to live by:

• ...
• Remember that security features != secure features

Secure Programming for Linux and Unix HOWTO

[dwheeler]

There's a free book (and slides) already available if you want to learn how to write secure programs for Linux and Unix, it's the Secure Programming for Linux and Unix HOWTO. Take it, read it, use it. It's already included in many Linux distribution's documentation.

It is a good idea to get colleges to teach about writing secure programs. Currently, almost all programmers get out to the real world without knowing how to write secure programs, and they're writing the programs exposed to the entire Internet. That needs to change.

As an undergrad at Leeds...

As an undergrad at Leeds, just thought I'd provide the following forward from one of the department support team (posted in response to this story hitting the local news system):

• J Jackson wrote:
• 
  
  In a dept that uses
  
  Solaris and Sun Hardware for the following services
  
  Mail, DNS, print server, Backup & Majority of it's file serving
  
  Linux and Apache for it's dept. Web services, and most of it's compute power
  
  And which only uses Microsoft IIS as a toy for student use.
  
  We do run about equal Linux/Microsoft desktops.
  
  :-)
  
  Jim
  
  p.s. feel free to use these figures.

Not an MS shop. :)

MP