Interesting Stuff From Microsoft
My colleague Dave Ladd has a post “Security Education v. Security Training” [link to http://blogs.msdn.com/sdl/archive/2007/05/02/security-education-v-security-training.aspx no longer works]:
Unfortunately, there’s an assumption held by many in our (IT) community that the road to better security leads to “drinking from the fire hose” – that is to say, employees are rocketed through week long training classes, then drilled and tested on security topics. Without the necessary exposure to secure systems design and concepts, more often than not these classes simply become a blur.
Over at the Old New Thing, Raymond Chen has a really interesting post titled “How my lack of understanding of how processes exit on Windows XP forced a security patch to be recalled” [link to http://blogs.msdn.com/oldnewthing/archive/2007/05/04/2402028.aspx no longer works]:
I was one of the people brought in to study this new behavior, poke holes in its design, poke holes in its implementation, review every line of code that changed and make sure that it did exactly what it was supposed to do without introducing any new bugs along the way. We found some issues, testers found some other issues, and all the while, the clock was ticking since this was a security patch and people enjoy mocking Microsoft over how long it takes to put a security patch together.
Too bad Mr. Chen didn’t instead say, “…since this was a security patch and people are likely to be exploiting this hole on our customers’ systems. And we don’t like being mocked, either.”