SUMware
Premium
join:2002-05-21
3 edits | reply to dave
"SDL is not perfect, nor will it ever be perfect."
said by dave  :Ah. One employee of Microsoft says something, and it's reported as 'Microsoft says'... I bet you'll find some core OS engineers that agree with Russinovich and some that are seriously pissed off at him for dissing their baby in public. More lowered expectations...?
From ComputerWorld - April 27, 2007:
How the ANI bug got baked into Vista: Microsoft explains quote:
In a postmortem of last month's Windows animated (.ANI) cursor vulnerability, one of Microsoft Corp.'s security development gurus today spelled out how the bug sneaked into Vista
Michael Howard, an authority on Microsoft's Security Development Lifecycle (SDL) -- a multipart initiative that aims to get developers to design more secure code -- posted an extensive entry on the brand-new SDL blog that outlined lessons learned from the ANI vulnerability. "SDL is not perfect, nor will it ever be perfect," Howard acknowledged yesterday. "We still have work to do, and this bug shows that."
That bug, which first surfaced late last month and posed enough of a threat that Microsoft went out of cycle to patch it, affected all older editions of Windows as well as the newest, and supposedly more secure, Windows Vista. Some security researchers, in fact, took Microsoft and its SDL process to task for not catching the flawed code as Vista was written, debugged, tested and polished.
Michael Howard is a security program manager on the Microsoft Windows XP team, focusing on secure design, programming, and testing techniques. He works with hundreds of people both inside and outside the company each year to help them secure their applications. He is the author of Designing Secure Web-Based Applications for Microsoft Windows 2000 from Microsoft Press. Prior to working on Windows XP, Michael worked on next-generation Web server technologies and IIS. He has worked on Microsoft Windows NT security since 1992. |
