Trustworthy Computing’s Impact a Decade On: Looking Back, Looking Ahead

ronjor · Jan 13, 2012

Editor’s Note: This is a guest post from Rich Mogull, founder of Securosis LLC, an independent security consulting firm. Prior to founding Securosis, Rich was a leading analyst at Gartner. He has 12 total years of experience as a security analyst.

Depending on your age, you might remember when the U.S. Hockey dream team won the 1980 Olympics, the first moon landing, or where you were as we entered the new millennium.

Me? Well, aside from some of those items, I'm chagrined to admit I remember when Bill Gates' Trustworthy Computing Initiative memo was released to the public. Not that there's anything wrong with that; depending on how you feel about certain levels of security geekery.
Click to expand...

https://blogs.technet.com/b/microso...oking-back-looking-ahead.aspx?Redirected=true

Rmus · Jan 13, 2012

Re: Trustworthy Computing’s Impact a Decade On: Looking Back, Looking Ahead

It's now 10 years later and I don't think any reasonable person could argue TWC hasn't had an impact both inside and outside of Microsoft. Products improved, but more importantly the words "secure development" transitioned from "academic exercise", through "joke", into "process". Few major software companies or online services release products without at least some degree of security testing,
Click to expand...

Wow, I did a double-take when I read this last sentence!

Two things come to mind.

First, many years ago, one of my friends who was a great influence on my thinking in security retired as a programmer. It was customary in his times, he explained, to check and recheck each line of code for any bugs. Self-respecting programmers would be embarrassed -- if a buffer overflow today--, for example, showed up in their code.

The current problem (many vulnerabilities showing up) from his perspective was not bad programmers, rather, the urgency to release products on the market before the competition did, or to meet marketing goals (release by Christmas, etc.)

Second, in fairness, code has become so complex (especially code in an Operating System) that testing for vulnerabilities is a real problem.

Microsoft addressed this shortly after the Conficker worm which exploited MS08-067:

MS08-067 and the SDL
http://blogs.msdn.com/b/sdl/archive/2008/10/22/ms08-067.aspx

In my opinion, hand reviewing this code and successfully finding this bug would require a great deal of skill and luck. So what about tools? It's very difficult to design an algorithm which can analyze C or C++ code for these sorts of errors. The possible variable states grows very, very quickly. It's even more difficult to take such algorithms and scale them to non-trivial code bases. This is made more complex as the function accepts a highly variable argument, it's not like the argument is the value 1, 2 or 3! Our present toolset does not catch this bug.
Click to expand...

----
rich

ronjor · Jan 13, 2012

To quote: "We're 10 years in. The software world is dramatically different, but we are still only at the start of a very long trip."

Rmus · Jan 13, 2012

Re: Trustworthy Computing’s Impact a Decade On: Looking Back, Looking Ahead

The software world is dramatically different, but we are still only at the start of a very long trip."
Click to expand...

And how different from my friend's world!

The TWC initiative has been effective, but it's up against a lot of boulders in the road as it proceeds. One huge impediment is the huge number of brilliant cybercriminal programmers worldwide poring over the same lines of code, looking for potential bugs/vulnerabilities in almost every software product in the market!

----
rich

ronjor · Jan 13, 2012

cybercriminal programmers
Click to expand...

Not to mention outright thieves.

Tarnak · Jan 13, 2012

Rmus said:

And how different from my friend's world!

The TWC initiative has been effective, but it's up against a lot of boulders ...[...}

----
rich
Click to expand...

Ah! Living the dream...confabulation

Rmus · Jan 13, 2012

Re: Trustworthy Computing’s Impact a Decade On: Looking Back, Looking Ahead

ronjor said:

cybercriminal programmers
Click to expand...

Not to mention outright thieves.
Click to expand...

What's the difference?!

----
rich

ronjor · Jan 13, 2012

Some want the money, some want the mayhem.

Rmus · Jan 13, 2012

Re: Trustworthy Computing’s Impact a Decade On: Looking Back, Looking Ahead

ronjor said:

Some want the money, some want the mayhem.
Click to expand...

Thanks, I'll make a note of that!

----
rich

Log in or Sign up

Trustworthy Computing’s Impact a Decade On: Looking Back, Looking Ahead

ronjor Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Tarnak Registered Member

Rmus Exploit Analyst

ronjor Global Moderator

Rmus Exploit Analyst

Log in or Sign up

Trustworthy Computing’s Impact a Decade On: Looking Back, Looking Ahead

ronjor Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Tarnak Registered Member

Rmus Exploit Analyst

ronjor Global Moderator

Rmus Exploit Analyst

Useful Searches