 |
 |
|
November 12, 2003DevCon(sorta):Talking with Michael HowardSome of the tracks were kinda dry this morning, and I decided to hook up with Michael Howard from the Secure Windows Initiative at Microsoft. He is a colleague I respect highly, and I have always enjoyed his writings. One of my favorite books is his Writing Secure Coding book, and I thought it would be good to get together with him for a bit. He's a busy guy, and I was happy to get a chance to hook with him for the rest of the morning. Had a great time. Really enjoyed talking about some of the education initiatives at Microsoft as well as the test harnesses that they are working with for code audits. (Verifier now FAILS if you use a NULL in the security descriptor. I only hope they move that to Driver Verifier). Its good to know they have people like Michael at Microsoft. His experience and work he is distilling into the foundation of Microsoft will ultimately effect everything they do. The training they did when they froze development at Microsoft way back when will finally be shown when Longhorn is released (although some was exposed with the reduction in the attack surface in Windows Server 2003) . Unfortunately, Longhorn is still four years away. Posted by SilverStr at November 12, 2003 02:17 PM | TrackBackComments
I'm so freakin jealous. I wish I could bend his ear for a good 30 minutes, just to try and understand the mindset Microsoft has currently about OS security. Did you guys touch on that at all? Regards Ya we did. Michael has an excellent grasp of OS security, and what they are working on in Longhorn will go a long way to make efforts to eliminate some of those issues we have seen in the past on Windows platforms. Reality is that education takes time to build and grow. Most of the "code audit" work that was done when Microsoft stopped development can be attributed to his work, but we won't really see the results of it until Longhorn. (Remember most of Windows Server 2003 was actually written in 2000, whereas Longhorn 2006 was written this year) I was impressed when the mechanisms they put in for security tests. I can't go into real detail, but lets just say I would gather most developers have a love/hate relationship for Michael and his department, because he has engineered excellent security tests in all the tools. It will catch many security related bugs and stop a build if found. Simple things like lazy coders applying NULL security DACL are good examples of this. It was a rewarding experience, and I will hook up again with him next time I am on campus. Well worth the time spent! Posted by: SilverStr at November 14, 2003 07:27 AM |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
December 2006
November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
