How Software is Built

Interviewers: Scott Swigart and Sean Campbell

Interviewee: Ben Chelf

In this interview we talk with Ben Chelf from Coverity. In specific, we talk about:

• Scanning the worldwide open source code base for vulnerabilities
• The necessity of automating defect identification
• Building scalability into code analysis
• Overcoming the limitations of automatic scanning
• The hubris of believing too much in your code
• The difficulty of appearing objective
• The changing face of code security and analysis

Continue reading…

Interviewers: Scott Swigart and Sean Campbell

Interviewee: Jamie Thingelstad

In this interview we talk with Jamie Thingelstad - CTO of the Wall Street Journal’s Digital Network. In specific, we talk about:

• Open and closed-source technology stacks at WSJ
• The technology evaluation process
• Intersections between open source and commercial entities
• Security considerations with open and closed platforms
• The value and liability of owning code

Continue reading…

Interviewers: Scott Swigart and Sean Campbell

Interviewee: Justin Erenkrantz

In this second part of a two part interview with Justin Erenkrantz we talked to him about:

• How the Apache project ensures good collaboration.
• The Apache Foundation’s philosphy of having no single person as the leader.
• Apache’s security committee.
• The process of removing someone from a position of responsibility within the Apache Foundation.
• What would make someone want to be part of the Apache Foundation’s group of projects.

Continue reading…

Interviewers: Scott Swigart and Sean Campbell

Interviewee: David Campbell

In this interview with David Campbell we talked to him about:

• His background with the SQL Server team and Microsoft
• What about planning, implementation, testing, delivery, and servicing do you think are unique to a product as high profile and critical as SQL Server.
• The Security Development Lifecycle and SQL Server.
• Usability and SQL Server’s Development.
• His experience with OpenSource databases.
• How much the experiences of mySQL and other open source databases have affected SQL Server’s development.

Continue reading…

There’s a good article on LinuxWorld about the security debate between open-source and Windows. My first question is, does it need to be a debate? In this day and age, isn’t it easy enough to quantify vulnerabilities?

If you are looking for subjective opinion, I recommend looking through the interviews we’ve done here. At the risk of sounding like a Microsoft fan-boy, the Microsoft interviews (in my opinion) demonstrate a company where secure coding is “in the water”. Code goes through threat modeling, risky function calls have simply been banned, code goes through automated and human inspection, and vulnerabilities that do slip through feedback into the process to determine how to prevent them in the future.

I simply don’t get the same feeling from the open-source people we’ve talked to. When we’ve brought the subject up, the response is almost universally “many eyeballs,” and faith (without data) that “many eyeballs” is effective.

Am I completely off base? Do things like the Linux kernel and Apache go through rigorous security reviews? Is there proof that “many eyeballs” in open source is at least as good as something like the Security Development Lifecycle in Microsoft? If you’re in a position to know, let’s chat!

A while back, we did an in-depth interview with Michael Howard about Microsoft’s Security Development Lifecycle, which has been one of our most popular interviews to date.  It seems there’s a lot of interest in pulling back the covers and looking at how Microsoft is approaching building secure code. 

ComputerWorld just did an interview with Microsoft’s Scott Charney, which provides more insight into their efforts to produce secure products.

Interviewers: Scott Swigart, and Sean Campbell

Interviewee: Ryan Waite

Ryan Waite

In this interview, we talk with Ryan Waite, Group Program Manager for High-Performance Computing at Microsoft.  We talk about:

• Microsoft’s entry into the High Performance Computing area.
• Microsoft’s support of the open source Message Passing Interface (MPI).
• MPI has become bloated, and there’s no usability data (like there is with Microsoft Office) to indicate what should be deprecated.
• At Microsoft, select customers help shape the features for the next product release.
• Microsoft has always focused on ease of use, simplified administration, and uncomplicated setup. HPC is no different.
• Instrumentation helps find reliability issues. If partners are affecting reliability (with unstable drivers, for example) certification helps raise the bar.
• Parallel programming is now the only way to do more computation in the same amount of time. Processors just are getting faster like they used to.
• It’s easier for open source to be incremental. Proprietary software has to make radical changes.
• Hard drives + overnight shipping = really high bandwidth.

Continue reading…