A thought I had reading this, not sure if it's related or not, would be just how responsible should the developers be. IE: If I were to write a windows app, coding it all with my best practices, and then decide to do the help in HTML. For my help window I use the microsoft HTML widget, embedding IE into my app. Somehow a security problem in the html renderer allows the system to get rooted. How proactive do you have to be in a case like this? Should I have written my own HTML widget? Or only display a plain text file? Or should I hold the maker of the widget at fault? If I shouldn't rely on others programs or libraries, how low should I go? Should I be writing everything from the ground up in ASM, or should I rely completely on the libraries I use, assuming they are perfect and secure?

I think that we are all responsible, from the couple of guys who decide to create a program to do such and such, to the users who aquire the program some time later. And add to that the police (using the word in its broadest sense) who track down and prosecute the bad guys attacking our computers and networks. We all must be vigilant in security matters, That includes educating ourselves and keeping up on the latest threats and appropriate actions that each of us can take to protect ourselves.

Hi,
I came across your blog when looking for some Xp reg hascks. I was pretty intriged with all the info I found. Alot of my co-workers are in the same feild of security. I personaly am Operations/Jr. Admin for IBM midrange/mainframe servers. Not to much on the security front, but I am trying to secure a Xp Pro SP2 from a 4yr old. I have set up a limited user account for him and have all media running in virtual drive manager so I can give him access to cd rom games and dvd's at will and never have to change a disk. The pc is media based only not internet to deal with for him at this point. I have made some system policy changes so he does not have permissions to shut down the pc at all from a login screen or once inside. I have also done the following reg hacks to limit him.
All done in
UKey:
NoTrayItemsDisplay
NoCommonGroups
NoViewContextMenu
NoFileMenu
these are all pretty good.

I am still looking for right click taskbar options removal, as well as others I have not got to yet. I have read on many sites that there are tons of entries for this section of the registry. Is there a site or book that may have a detailed list.

Thanks,
Jody

The problem is more basic than that. The computer is just a tool, and can be misused as such. Rookits are a good example. They are not programming flaws, but an extension of the OS. Behavioral analysis IPS systems are exactly what we need. It's like police for your network. Police are not perfect, neither are IPS systems, but it allow us to detect, investigate, and block irregular behavior. While it is true that we need to make are tools safe, we also have to recognize that people will disuse those tools. I believe the focus needs to be on improving accountability, so that it’s not such a faceless world out there.

Yes, application insecurity is one of the big ones. While I agree with the folks who say customers should be demanding more security, I see that basically they can say 'make it more secure' and that's about it. If they had the expertise and time to draw up a large list of coding practices (and tests to assure those practices were adhered to!), they'd be halfway to coding the product themselves! So in the end, they're sort of stuck with whatever the vendor told them about security. Because once you've invested in and rolled out a product, it's cheaper to work around security flaws (via firewall, IDS, etc) than to replace the software your business now depends on.

And yeah - coders code to whatever spec they're given. Few PM's are going to say "It meets spec - now spend a few more days on it!"

So I agree it's everyone's problem (and hence, everyone needs to do something about it), but there are two groups that need to start pulling more of the weight: _sales_ and _management_ for the software vendors.

Sales teams need to start articulating that they actually /can/ sell security, but it's a long haul. A couple of product revs out, they'll be able to start comparing their security to competitors. And they can take a page from MS, who have been lifting thier security cred somewhat by evangelizing their SDL & commitment to security.

Note that I'm not talking about the sales guys who work for eEye, or Foundstone, or similar security vendors. I'm talking about the ones who sell line-of-business software: CRM systems, databases, etc.

Management needs to hear this, and start pushing for the design and process changes that will make software more secure. As my wife says "Security is designed in - vulnerabilties aren't patched out!"

very nice and informal comments. i just surfed in this great place. you do a great job, well done.