November 3rd, 2003, 02:34 PM
Gates has overlooked critical points
Software experts react to Microsoft chief's statement on 'perfect code'.
In a recent interview for ITBusiness.ca, Microsoft chairman and chief software architect Bill Gates is quoted as having said:
"You don't need perfect code to avoid security problems. There are things we're doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way - and when I say firewall I include scanning e-mail and scanning file transfer - you wouldn't have had a problem."
Mr Gates overlooks here two critical points.
First, firewalling and patching cannot, in fact, shield networks from all of the impact of worms and viruses. Ask any experienced network admin. There will always be users who bring into a firewalled network a laptop that was, for example, infected at home. Once that infected laptop is connected to the enterprise, the firewall is irrelevant. Worse yet, no matter how aggressively a company has propagated a patch throughout the network, the routine influx of vulnerable, unpatched systems (from that same migrant laptop community) will continue to supply fresh meat for the malicious software.
Second, the security of the application itself is tightly bound to its design and implementation as well. A company that writes its own business software could well go broke following Mr Gates's advice.
To illustrate this, let's consider a hypothetical example that is very realistic in today's business environment. A company writes a web-based application that enables its customers to login and purchase its goods. In keeping with Mr Gates's recommendations, they install a high quality, state of the art firewall and put in place processes for rapidly installing every security patch that Microsoft releases. (Perhaps they test them in a controlled lab environment first.)
Now, let's further say that the team that wrote the application software took the above quote by Mr Gates to be accurate. But it turns out that there's a problem in the software that the team wrote. Because their front-end software (that runs on their web server) doesn't properly screen users' input - after all, "you don't need perfect code" - and an attacker discovers that a vulnerability known as "SQL Insertion" exists in the application. The SQL Insertion vulnerability enables the attacker to enter SQL-based database inquiries directly to the back-end database server, and make read/write changes to the database at will - perhaps he would change the price of his purchase to $0 and the quantity of his order to 1000, or some such. You get the drift.
In this hypothetical example, the firewall did its job perfectly. All systems had up-to-date security patches installed. Yet the attack succeeded at compromising the database system (AKA the company's crown jewels).
While it's true that "perfect code" is probably not achievable, you do need "secure enough" code; and achieving that takes a great deal more than a good firewall and patch maintenance processes. It takes a sound design, built on top of a firm architecture. It takes an implementation of the software that is free of such common flaws as SQL Insertion, buffer overflows, and the like. And, it takes a well designed and operated production environment with a firewall and such.
Every Software Designer and Software Architect in major corporations needs to understand these principles if their own network and business applications are to be secure.
Mark G. Graff and Kenneth R. van Wyk are the authors of Secure Coding.
First, firewalling and patching cannot, in fact, shield networks from all of the impact of worms and viruses. Ask any experienced network admin. There will always be users who bring into a firewalled network a laptop that was, for example, infected at home. Once that infected laptop is connected to the enterprise, the firewall is irrelevant
.[/A company that writes its own business software could well go broke following Mr Gates's advice
Right to the point I cant agree more.I wonder is there a way around it though cuz we cant produce perfect secure codes.
November 3rd, 2003, 02:38 PM
I believe Mr G forgets a Few Things.
1. If his software didn't have gaping holes and backdoors, being constantly on the ball would not be an issue.
2. Not everyone is a security expert.
3. The most perfect CPU and software can still be vulnerable to the ignorant user.
November 3rd, 2003, 06:26 PM
I think old bills comments are stupid, IMO.
As the world becomes more wired there needs to be more secure code, after all firewalls are often not set up correctly and anyone that whats to get in could to, It maybe harder than an unpatch/ un-firewalled network but its always going to be possible, there is a major need for code to be audited correctly, this is part of the reason I think open source code is best.
There will always be someone capable of outsmarting a system, It why a lot of real hackers do what they do, just to outsmart and challenge themselves.
by making the underlying code, like the kernel more secure with good code practice and good auditting its going to make it increasingly more difficult for attackers to use these means.
I think microsoft policy on security is really to let other software companys deal with the security, IMO they should take more interest, If you think of a drain pipe thats supplied with holes in and the builder is left to patch these holes up there likely to fail in the future, where as a pipe with no holes in is less likely to develop faults in the future
November 3rd, 2003, 06:31 PM
could it be that he was implying firewalls on every computer in the network? I agree, but he does have a point, if you were to provide ultimate utopian secure code, then yeah, no one would be able to exploit the software........but that is like candy security, hard on the outside and chewy on the inside..........there is needed to be more, but atleat it is nice to see what G is thinking about/road map.
November 3rd, 2003, 09:19 PM
We ustilise a distributed firewall and that dose add a level of protection vrs the homeuser laptop, but the patching bit isa load of crap. From a company that runs a lot of custom code Ican tell you that ever MS patch breaks at least one bit in at leasta minor way. So ever patch needs to be tested and a number cannot go into production untill the custom code is debuged and fixed. You also need to look at all of the security holes taht go unpathed (at least 30 major exploits in IE alone that are not and will not be patched.)
Who is more trustworthy then all of the gurus or Buddha’s?
November 3rd, 2003, 09:22 PM
This is exactly what I'm talking about.
Instead of posting any useful, relevant information you choose to cut-n-paste articles off the web. What a waste of bandwidth.