Microsoft to Clean Up Code

the_pooh_experience writes "Microsoft has decided to beef up their security group by adding a code cleaning group according to Infoworld. As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'" The new group is called Security Engineering Strategy and while it may seem long overdue to many, it's still a step in the right direction for the folks in Redmond.

Fat Chance

[OmniVector]

If you've learned anything by now, it's not important that Microsoft fix the majority of their security flaws, but that they imply they will.

The OSS model of peer review on a large scale is the sole reason for such reliable security.

Proprietary companies still have an edge. If people programmed according to a planned set of pre/post conditions, and tested their modules with black box testing, then a large portion of the controllable errors can be caught. Whether or not Microsoft does this is questionable since we can't see their code.

Oh, and BOUNDS CHECK EVERYTHING. Buffer overflow errors should have been non-existant for a half a decade by now.

Re:Fat Chance

[jkrise]

"it's not important that Microsoft fix the majority of their security flaws, but that they imply they will."

Let's have a debate at Ask Slashdot. Is it EVER possible to make Windows secure? Not maybe in the same league as Linux or Unix, but even marginally better than what entails now?

The challenges:
1. An integrated all-in-one tightly coupled design - anything breaks, everything compromised.
2. Proprietary standards (if that isn't an oxmoron)
3. Newer OS releases atleast once a year, to break competing code.
4. Newer releases to support existing apps (3 and 4 directly contradict)
5. Code size and complexity - I doubt anyone, even at MS has access, let alone modification rights to the variuos code bases.

Put simply, Mission Impossible.

Re:Fat Chance

[Daniel+Phillips]

...that's why Microsoft would be best off, for their long-term interests, with a team of software engineers who would redesign the Windows codebase from scratch.

They already tried that, it's called "NT". Things got better for a while, then the application mafia got their fingers in and it degenerated back to the current mess.

So they could start that process over again, and be finished in 5 years, just in time to see their stock make the final dive into the subbasements. Or they could learn from Apple once again, and switch to BSD, it's free :-)

Re:Fat Chance

[walt-sjc]

Just read that drivel, and there ARE some valid points, but it is NOT universally true.

Case in point, I was on a team that redesigned an entire large-scale system from scratch. The old system was built in lots of little parts using various languages (shell, perl, java, c++, c, python, lisp), multiple databases from various vendors, had virtually no internal documentation on how anything worked, etc. They system was quite unstable crashing multiple times a day, and very difficult to enhance without breaking shit. Kinda like Windows...

We re-built the entire system in about a year (about 750K lines of code which was about half the size of the original code.) The result was amazing. After the initial deployment period where the bugs were worked out, the system was rock solid being able to stay up for months at a time, was Very easy to enhance, had tones more features and flexability. We had a great team, and a solid commitment from senior management providing the needed resources.

Netscape's biggest problem was not starting over from scratch, but poor project management (not keeping people within original design constraints) and a lack serious commitment from senior managment. Rather than having a very tight set of requirements and design goals, things were very nebulous and got out of control very quickly. No longer were they building a new browser, but a cross-platform framework for any kind of application they could think of. When you look at projects such as Galeon, most of that bloat is ripped out.

Rather than folling a bad example of how to run a re-design project (mozilla) MS could EASILY afford a new team to start Windows from scratch, leaving the existing team in place to continue to enhance / maintain the existing code base. This is the step that Netscape missed. They only used a small fraction of their people to maintain (and NOT enhance) the old code.

Joel is making his claim by using the worst case example. Kinda like if I claimed that you should never put the gas tank in the back of a car pointing to the Pinto as my evidence, ignoring the thousands of other car designs that worked.

I'm suprised...

[DJPenguin]

... that this group didn't exist before. Surely a company the size of MSFT would already have a team or group just doing code auditing?

Oh well. as they said - it's a step in the right direction.

Where have I seen this before...

[geesus]

OpenBSD have done this. They set up a team of dev's who went through the entire code fixing up buffer overflows\underflows, and all that jazz. I hope for the worlds sake (because it seems that the whole world is using Microsoft products) that they do a good job, but in my mind it wont make me feel like Windows or IIS or any other networkable piece of Microsoft written software is secure.

Slashdot's Microsoft Obsession

[Pave+Low]

Recently it seems not a day goes by on slashdot without a few Microsoft stories. This supposedly linux, open-source focused site seems awfully preoccupied with Microsoft for some reason, and it's not good.

The trolling editors seem desperate to generate pageviews and posting a Microsoft piece almost guarantees to inflame and troll enough users to accomplish this.

Look at this story...what's really that new or interesting here? This looks like just another opportunity for slashbots and "M$" haters to get their kicks.

The more reasonable readers don't get off on that kind of stuff. Please editors, this is getting old and boring.

Re:Port to Java!

[dimer0]

Yea, it really sucks that I can develop and test code on my Windows laptop and just copy the compiled files over to an AIX box, or Intel/Linux box, and everything works perfectly.

Methinks you're a disgruntled C programmer feeling the world's leaving you behind.

Get with it - there's tools for every job - pick the one that works best.

My original point was made in humor partly - but the main point was that normal security exploits attacking buffer overflows, for example, are a non-issue in my 'interpereted language'.

Open it up

[Midajo]

Nobody in their right mind is going to simply take it for granted that any given operating system is secure. Considering Microsoft's track record of programming, they are the last people anyone should blindly trust. The only way to deliver security on a project of this magnitude is to open the source to peer review.

Credit Where Due

[k0de]

If the 3r33t community hated other software/platforms as much as they hated Microsoft I'm sure the level of bugs exposed/viruses would be equally as high. I'm not saying Microsoft throws all beautiful software around, but if you devote time to finding holes in software, you'll find it no matter who the maker. As a fair example, look at what happens Larry Ellison tries to make grand claims about the stability of Oracle software. Many of you have valid opinions, and that's respectable, but how so many people can blindly hate Microsoft because of the hate trend makes me want them to succeed.

Re:Credit Where Due

DJ Bernstein has made claims about the stability of qmail, even rewards for anyone who finds a security exploit. I don't think anyone has ever found exploitable code in qmail, and it's open source.

The amazing thing about Oracle and MS-ware is that it's closed source and exploits are still popping up all the time.

Re:Credit Where Due

[deranged+unix+nut]

Check out Windows Server 2003 - Microsoft was really trying to focus on security, and even got bashed by customers because they made it so secure that some of the applications wouldn't work anymore.

You don't "fix" 50 million lines of code overnight, especially not when it has taken 10 years (or more) to write. However, all of the developers really did take a few days to go through a set of classes on how to write secure code, and then spent the next month reviewing their code for security problems. All of the program managers really did go to classes to learn about security vulerabilities and how to find security weaknesses in their designs, and then went back and updated designs where needed. All of the testers really did go to classes to learn how to find security bugs and then created security test plans and spent a month doing nothing but looking for security bugs.

It probably isn't perfect, if Microsoft went for perfect you would be paying ten to twenty times more for the software, but for the first stab at really fixing the server operating system so that it is secure out of the box, I would say that 6 months of effort went into making Windows Server 2003 secure that wasn't in the plan prior to the trustworthy computing initiative.

Re:Port to Java!

[GigsVT]

I think you forgot to add this:

and everything works perfectly*.

*Perfectly is taken to mean "Works about right as long as that system has the same brand and minor revision of the JRE"

Seriously though, every Java based piece of software we have looked at has been total crap. Many of them require a certain runtime, such as one web service from a major company we looked at, that only works with Apple's runtime. Other's only work with MS Java runtimes. The list goes on.

I'm telling you again - Hire Theo.

[TerryAtWork]

What Bill should do is contract Theo de Raadt of OpenBSD. He has to be one of the lord high masters of code cleanup in the whole world.

Pay boffo bucks, send a Gulfstream to get him and give him some Bill face time.

He'll give you a seminar on code cleaning you'll never forget.

Manpower? More MS myth tossing

[djupedal]

MS employs a staff that roughly equals 20% of GE. And the bulk is either in marketing or legal. Factor out these yocals, mid-level managers doing nothing but CYA and all the air-head interns and there's not much left. There's your 'task force,' working on this whitewashing.

What is Microsoft's full-time worldwide headcount? Current employment headcount as of 6/30/02: Worldwide: 50, 030

GE operates in more than 100 countries and employs 313,000 people worldwide. Now, that's manpower. Anything under 250,000 is just an excuse to have vending machines in the lobby.

Re:more of the same

[cshark]

I have yet to see anything substantial in this area from this company. In my experience, the only way to fix code that messed up is to do a complete re-write plugging in bits of the origenal where it can. It's a lot of work, but worth it in the end.

Re:A good thing

If true, than M$ has internalized, or is attempting to, another OSS development process feature into it's corporate structure.

Even if it was just a flapping of the lips, it's a good thing, especially for all the shops in the IT world who take hints from the large players, which, like it or not, M$ is. I got a copy of "Code Complete" from M$ Press my first day on the job here. People do pay attention.

Re:A good thing

[dthable]

The concept pre-dates open source development. They did have peer reviews in the days of the mainframe.

Re:A good thing

[DrTentacle]

Sure, the concept of peer review is an old one. This is a slightly different slant, however - The security review is not to check that the code performs it's task correctly, rather that it does not compromise the security of the application.

In the OSS community, code (potentially) gets reviewed by people with expertise in a number of fields, something that is not guaranteed in a closed-shop development team. Hence, my observation that this is a watered down version of that process, with it's focus solely on security.

Re:more of the same

[tomhudson]

and putting it in the hands of a review group, rather than educating their coders (who are, after all, the ones who wrote the bugs in the first place) on how not to write buffer overflows, etc, is the WORST way to go about it.

So, here's a rather obvious 1-2-3-profit list

1. patent the buffer overrun
2. sue microsoft for every infringement
3. profit!

Re:sceptic

[Shalda]

Perhaps you haven't looked too closely at Windows Server 2003. I've been kicking it around for about 2 weeks now and let me give you some highlights.

1. Stuff works. It's the easiest time I've ever had configuring a server. It's like flipping a switch.
2. Stuff is locked down. Everything out of the box is turned off. When you do turn it on, it's locked down by default. Everything runs with the lowest privelege possible to get the job done.
3. Reliable. Nearly anything can be done without restarting the machine. The only exception I've had so far is making it a domain controller.

Frankly, I'm looking forward to working with it in a production environment.

For the world's sake

[truthsearch]

I hope for the world's sake they do a terrible job and most people realize it. If their software remains marginally good enough in most people's minds, as it is now, it'll continue to be used. Their walking a thin line right now. If their software is seen as more expensive, buggier, or more insecure than it is now, even by just a little, they'll hurt. Anything that keeps them above that line keeps them in business. I'd much rather see them fail so there's a much quicker transition to FOSS.

Pardon my cynicism but ...

[Tsu+Dho+Nimh]

haven't we seen a security initiative before, the one that was supposed make Windows more secure than ever?

Will this group have the authority to hold up a release if there are security holes? If not, they are just window dressing.

Is this group REALLY going to be able to get Microsoft to create secure code, or just avoid goofs so large they provoke those embarassing industry articles about lack of security?

Re:more of the same

[acebone]

Most people do not CHOOSE to use IE - it is simply what is available from the get go on their computers with windows pre-installed...

On win2k you can't even remove outlook express (yeah of course you can - but not by simple means).

Click the outlook express by mistake once - it won't even ask you - it will just take over as default mail app.

Re:But it IS important

[bier]

I agree, it IS important. Not the bashing, although it is fun sometimes, but rather the fact that this OS non-corporation called Linux is managed, marketed, funded, researched and developed by people like us.

The mucky-mucks at MS, or Apple, or any other software company work long days worrying about and getting all the info they can about other companies.

Since linux is non-corporate it is up to people like us to discuss, argue, trash-talk, and otherwise beat to death information and news about the competition.

To me its just good business.

Re:A good thing

[GreenBugsBunny]

That's because (for the most part, anyway) the developers are writing the software because they want to, so they're going to do it right. Closed-source shops have deadlines & developers will often take shortcuts to meet them.

Re:A good thing

[mystran]

Actually, this sound like a good idea to me. I think that it's actually better than any of their old Security Initiatives.

Having some people to actually just fix security issues is good, since then those people can concentrate on security topics.

Even if all their developers where aware of security issues, there actually has to be some group that concentrates on KNOWING about the issues, so that not only is code looked after, but actual developers have someone to ask when they think "there is potential pitfall here" but don't know the exact problem/solution.

I think Open Source security works because there is always someone that can show the actual problem with the code.

There's also the problem of big picture. While you COULD check buffers at every stage of code, you actually only need to check data that is coming INTO your code, as long as you trust your own code. Problem here is that there is often functions that SHOULD get data only after it's validated, but for some reason get it without validation. If there's someone who knows the actual validation process and data flow, and whose job is to check that all is fine, then security can be built as the first layer, not just small checks in 11001 places.

Ofcourse everyone still needs to check return values of functions that can fail (or catch exceptions when programming with a sane language).