The reason for this post is, that I still see a lot of customers who developed a really good practice for handling Microsoft updates but not for the rest. I just read these two articles this morning:

• Security Updates Available for Adobe Reader and Acrobat
• Google Patches Chrome 18 for Flash Flaws

So, make sure you cover all your software including third-party apps and open source.

Roger

March this year I migrated my blog from a SharePoint based solution to an OpenSource solution and never ever regretted it. I actually enjoy it. I described the whole migration here: Migrating My Blog. I enjoy all the different possibilities WordPress is giving me and by running on Windows Server 2008 R2, I am easily able to operate it.

So far, so really good – but… I now wanted to upgrade PHP to the latest version and I failed. I installed it, made sure that the php.ini file is back in place, restarted the machine and:

Since then I tried everything: Removing all my plug-ins, trying to look at the PHP log (which was accidentally switched on, grew tremendously but when I needed it, nothing was written in there) etc. etc. – no success. Luckily, I run my blog in a Hyper-V environment, which allows me to take a Snapshot and then fall-back to configuration I know that it works.

I started to post in the wordpress.org forum and did not get any response so far.

So, honestly, for my blog it is ok and as I said above, I do not want to complain as I did not pay for it and it is really cool stuff! But it is not business critical (even though I see a fair amount of hits every day – thanks to you all) but if I would have to run my business on it, there are two options: Either I hire a team, which has in-depth knowledge of the stuff or I just hope (which is probably not a good option for a business).

I am just a little bit frustrated. At the moment I am back to the working environment and will take another try, once I find some time to drill down further (or get a good idea from the community).

Roger

A few years later, we launched SAFECode in partnership with EMC, Juniper, SAP, and Symantec. The goal of SAFECode was and still is to enable experience sharing on how to develop secure code. There are more partners in the meantime – you can find them here. The strange thing happened during the initial press conference. An analyst spoke up and said: “Well, with these companies coming together and sharing experience and information, don’t you just drive the attackers to the companies not being part of SAFECode?”. Well, so what? Any organization can join and/or leverage what we do as everything on our Security Development Lifecycle is freely available and SAFECode published quite some paper on that subject, too. A lot of the tools, the methodology – everything. Free! Download it, use it, go for it!

The reason why I am writing this, is the latest discussions around the Insecure Library Loading, where we published an advisory Insecure Library Loading Could Allow Remote Code Execution. To me it shows one of the biggest challenges in the industry. It is not about securing the platform. We invested a lot of energy in making Windows the most secure operating system out there. Besides applying SDL and a lot of other processes, we included technology like ASLR, DEP and others to make it harder to exploit vulnerabilities. We have probably the best incident response in the industry. But the applications remain a challenge. This is true on Windows (like this case shows) as well as on other platforms. Securing the OS is one thing. Security the application ecosystem on top is a completely different story.

Therefore, there is a clear call to action: If you are developing software, go ahead and use any methodology to engineer security into your product from the ground up. Use SDL or any other process, which helps you to get there – but do something. If you want to get help to implement it, there is the SDL Pro Network, which can assist you (this is not for free then )

It is simply irresponsible not to do it as soon as you application is used broader than “just” on your own PC.

Roger

However, it is always interesting to see who is looking how at this debate. Does it help security if everyone can see the code or does it help the attackers? We have a program which we call Government Security Program, giving governments under certain circumstances (e.g. protection of intellectual property) access to our source. Sometimes we have the debate with government officials whether having access to the code could allow an attacking government to get an advantage in the area or cyberwar or cyber espionage. Looking at that debate, OpenSource would even be worse as it means access for everybody.

Now, I just read this article: Open-Source Could Mean an Open Door for Hackers. It is about a paper looking at data from Intrusion Detection Systems and their finding is that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software. An interesting statement in the light that we know that there are more vulns in OpenSource software than in shared source and fairly often it is because of the lack of processes enforced to engineer security into the product from the beginning.

Another thing which is important to me is “As defenders get out their patches, the attackers have more incentive to move on to a different exploit,” Ransbotham [the author of the paper] says. In other words, having a strong incident response (besides the engineering process) is at least as important.

This should be something the industry adopts. We made our engineering process called Security Development Lifecycle public and I think our incident response is wide known as well as being a best practice. So, something people should finally come to adopt

Roger

Roger