How Software is Built

Stormy Peters, Directory Of Community And Partner Programs For OpenLogic

Posted on by Carlos Kelly

Stormy Peters in NYA prominent free and open source software (FOSS) advocate, Stormy Peters joins OpenLogic from Hewlett-Packard (HP) where she founded and managed the Open Source Program Office. As an early adopter of open source, Stormy was responsible for HP’s open source strategy, policy and business practices. She was also a founding member of HP’s Linux Division.

Stormy is a frequent keynote speaker on business aspects of open source software at major conferences such as the Open Source Business Conference and the O’Reilly conferences. She has addressed the United Nations, European Union and various U.S. state governments on open source software. Stormy is a co-founder of the non-profit GNOME Foundation, which is based on open source principles to encourage the development of a computing platform, comprised of free software, for use by the general public.

Stormy joined HP ten years ago as a software engineer in the Unix Development Lab after graduating from Rice University with a B.A. in Computer Science.

Stormy is constantly seeking new adventures. She has lived north of the Arctic Circle, traveled around the world solo and, most impressively, taught classes to twenty-two eight year olds.

Read more

Interview With Michael Howard, Senior Security Program Manager At Microsoft

Posted on by Carlos Kelly

michael howardIn this interview, Scott Swigart, Sean Campbell, and Richard Bowler interview Michael Howard, a senior security program manager in the Security Engineering team at Microsoft, and an architect of the security-related process improvements at the company. He is the co-author of many security books including the award-winning Writing Secure Code, 19 Deadly Sins of Software Security, The Security Development Lifecycle and Writing Secure Code for Windows Vista.

In this interview, Michael exposes how Microsoft developed the Security Development Lifecycle, which has decreased the number and severity of vulnerabilities in their products. Michael also directly challenges the notion of “many eyeballs” leading to secure code. Highlights include:

 

Richard: Michael, thanks for taking the time to chat with us. I’d like to start by getting your take, if it’s applicable, on the advantages of open source or closed source in the context of security.

Michael Howard: I think to actually describe it as closed source or open source is really a bit of a misnomer. Really, it’s who controls the process and what the process is. And so, the implication is that closed source tends to have more of a documented process. Whereas the open source guys, perhaps, don’t. I’m not saying that’s true either way.

But if we’re looking at it from a Microsoft perspective, I think one of the advantages that we have here — a big, big advantage — is that we can mandate policies. “You will do this, and here are the criteria that you must meet before you can ship some software.”

The joke is, if you want to be involved in the Microsoft Salary Participation Program, you have to do this stuff. When people say to me, “How many security people have you got working on Vista?”, the answer is that it’s 6,000 people, because everyone has got at least a baseline level of security expertise. We enforce through education, and through the use of centralized tools and that kind of stuff.

With the Security Development Lifecycle (SDL), there are things that you must do. You can’t write code that uses banned functionality. And so on, and so on, and so on. We can enforce that.

I think that’s a big advantage that we have.

Richard: I think that’s the general perception, that process is more enforceable in a proprietary source environment than when you’re dealing with individual contributors in different locations.

Michael: I’ve talked to a few open source guys about what we do here and their comment was, “Well, that’s just draconian and stifling creativity.”

My response to that is, “No, that’s just discipline.” And fortunately, I think the days of software being written by cowboys are behind us. When I say “us,” I mean the industry, I don’t mean Microsoft, I mean the industry as a whole. I mean, you need discipline. And that’s what the process gives us.

Richard: So, about the SDL, can you give us some idea what gave birth to the idea of a set of security-specific processes blended with the SDLC seed that was already in place?

Michael: Five or six years ago, it was obvious to us that software development processes, regardless of who the vendor is, just didn’t give you secure software. We saw that by the sheer pandemic of security bugs across the industry.

Therefore, we needed to change the process, and we had three possibilities. One was to hope that the problem would go away, which was obviously not going to happen. Another one was to completely rip out the existing process and replace it with something brand new. Well, that’s not going to happen either, because, at the end of the day, Microsoft is actually good at shipping software. You can argue about whether it’s on time, that’s another matter, but the company as a whole is good at shipping software. That’s what we do. So, let’s not change that. The third option is taking some existing process that does ship software, and augment it with security requirements.

That’s what really led to the SDL, which is ultimately just taking whatever process you currently have, and layering security requirements on top, with security-related deliverables along the way.

If you have a waterfall model or a spiral model or an agile model, it really doesn’t matter. SDL layers on top of your existing process.

Richard: It seems that Microsoft is being a little bit evangelistic about the SDL, trying to convince others to put it in place in their own development process.

Michael: Well, actually, the funny thing is, to answer your question directly, yes. But to give you the more long-winded version, we’re actually being asked by a lot of companies as well. “What have you done?”

And I think that’s really interesting to see. It means that 1) people are actually seeing that we’ve made some progress and 2) they also recognize that they can possibly make some progress too.

So, it’s actually both. We would like to just go out there and evangelize the stuff, but frankly, we’re also being asked the questions as well, which is absolutely wonderful.

Richard: The SDL seems focused on process to limit the number of security bugs that get written in the first place, instead of the entering a test and fix mode at the end of the process. Can you talk about the relative success of that goal?

Michael: Actually, there are really two goals of SDL. Goal number one is to reduce the number of vulnerabilities in the code. And goal number two is to reduce the severity of what you miss. You’re never going to get all the vulnerabilities, ever.

The thing that sets security apart, more than other disciplines, is that the science is constantly evolving. The person on the other side of the table wants to take you down and will do whatever possible to take you down. It’s a very, very interesting field of expertise.

Getting back to the first goal, which is reducing the number of vulnerabilities in the code, there are really two parts to that. One is essentially going through all the code and just removing vulnerabilities.

For example, we went through the entire Window’s Vista code base, looked for banned function calls, and removed those banned function calls from Vista.

It doesn’t mean there was vulnerability there, but one thing I can tell you is that by removing them, if there was an undiscovered vulnerability there, there’s a good chance that it’s gone now.

That’s the first aspect, just going in and cleaning up and re-reviewing code that may have been written 10 years ago, when the threat landscape was very different. The other aspect is to not add new vulnerabilities to the code. That’s why we have education; that’s why we have tools; that’s why we have bug testing. The whole point is to catch problems before they are added to the code and put into the software.

And, frankly, one of the biggest parts is just education, making sure people are aware: “Don’t do this, instead do that, if you’re writing this type of code. These are some of the assumptions that you need to be aware of about the attackability of your system. Here are the things that you should be aware of.”

Now, that by itself, just raising awareness and holding people accountable for it, exponentially increased the quality of the code. That includes producing fewer bugs. I’m not going to say that we’ll ever get to zero, I’m not going to go there at all. But we have seen a huge improvement.

Scott: I guess, talk a little about that. What, quantifiably, have you seen being the results of SDL?

Michael: The cynic in me says I can always point to a pathological case. I can always show pathological data that will prove that anything doesn’t work. It’s really about a bell curve of products. Some products have done exceptionally well; some products still need to make improvements.

[One of the] products that have done exceptionally well is our Web Server, IIS. When you look at IIS6, it has had two security bulletins, and both of them are in components that are off by default.

Now what is fascinating about those two bugs is both of those bugs also affect IIS5. In IIS5, the vulnerable features are on by default. In IIS6, they’re off by default. One of the goals of SDL is to reduce the severity of what you miss. Well, both of those bugs are less severe in IIS6.

That is one example. Another good example is SQL Server. In Service Pack 3, they really went to town on that product, security-wise. And we have not issued a security bulletin in the SQL Server engine in over two years.

Last year, in the “Month of browser bugs,” IE7 came through completely unscathed. I can’t say the same for IE6 and IE5, but IE7 came through completely unscathed. And that is because of the security work we did. And I can attribute that completely to SDL. You look at Office 2007 and the current bugs that are affecting Office 2003 are just not affecting Office 2007. So there is a lot of progress that is being made.

Richard: I was going to ask you about whether there were bad practices in the past or whether it was just an absence of good practices. I think you pretty well made the case that it was just the absence of good practices, right?

Michael: I think an absence of best practices and a lack of awareness of the real issues. A lot of people are just not aware of the issues that are out there. And I think a lot of people believe that because they are running on a Mac or Linux that they don’t have security bugs and everything is fine, it is just Microsoft with security bugs. Which is clearly not true.

Scott: People who read this will be sure that I’m saying this out of bias, but it does really seem that the latest Microsoft products are significantly more secure than the latest major open-source products.

Michael: Well, it’s funny, I listened to a podcast yesterday at the gym, and they got going on about how insecure Windows was and how they run Macs and they are fine. It’s like “Oh my God guys, have you been ignoring the security updates for your machine?” The sheer lack of recognition of the pervasiveness of security vulnerabilities across the industry just blows my mind.

Scott: Are you seeing any trends where as the Microsoft products become hardened that hackers are going after softer targets?

Michael: Yeah, you bet. Absolutely. We have been seeing that for about two years. The big problem is you don’t read about it, you don’t hear about it. We do, we watch what is going on in the industry, and we are seeing other systems being compromised regularly. Just because they are not getting as much press doesn’t mean they are not getting compromised.

But, you know, to be frank, if we get bad press, I don’t mind so much, because it means that people will know they have to apply the patches. I think that is critically important.

Scott: Playing devil’s advocate here, how would you respond if I

Read more

Interview With Shawn Burke, Director In Microsoft’s .NET Developer Platform Group

Posted on by Carlos Kelly

shawn burkeIn this interview, Scott Swigart, interviewed Shawn Burke of Microsoft. Shawn Burke regarding the way software is developed within Microsoft. Shawn is a Director in Microsoft’s .NET Developer Platform group. Currently, Shawn is focused on building shared-source projects focused on new developer technologies from Developer Division. Since he started working at Microsoft in 1997, he’s worked on Visual J++, Windows Forms, and Visual Studio.

This interview covered a wide range of topics some of which follow:

Scott Swigart: Shawn, thanks for taking the time to chat with us.  If you wouldn’t mind, could you introduce yourself a little bit?

Shawn Burke: My name is Shawn Burke. I’ve been at Microsoft going on 10 years now. I’ve spent most of my career at Microsoft on the Windows Forms team. Originally it was the WFC team, which was part of the Visual J++ product. On Windows Forms (which became a big chunk of the .NET framework) I went from just a software engineer to lead engineer up to development manager on that product. I ran that team for three or four years. When VS 2005 shipped in 2005, I was ready for a change. I saw what I thought was a bunch of opportunities for Microsoft to improve the way that we develop our software, specifically around driving good contextual feedback into our products at an earlier point in the development cycle.

I went to Scott Guthrie and said, “Hey, why don’t we create a team that’s fully focused on consuming early technologies here at Microsoft.” We’re going to expose our learning (and what we’re doing) really transparently out to the community. We’re trying to drive a tight feedback loop from the community into the development team who is actually building the product. We’re trying to improve quality all along the axis.

Scott: So it’s that whole concept of . eating your own dog food You’re on a team now that specifically does that?

Shawn: Kind of, yeah. The dog food thing is usually more at a consumer-level. We’re really focused on development technologies. We’re focused on, “Hey, some technologies are just getting off the ground. What can we go out and try to build on top of that technology and really drive scenarios?” Can we take actual Microsoft plugged-in engineers and do things with technology and influence how it develops? It’s an extension of the dog-food-eating thing, but it’s a little deeper than that.

Scott: That makes sense. My background is also with developer technologies, and I’ve noticed regardless of whose technology you’re using, that you sit back and look at it and wonder if the company that built it ever tried to do anything “real” with it. There are always a lot of things you stub your toe on when you start.

Shawn: There’s one problem with developer technologies though, and this is something people don’t really often realize. When I build Minesweeper or Notepad or an application like that, it’s very easy for me to enumerate the scenarios that people are going to use on it. If I build a compiler or a framework, it’s very difficult to enumerate the scenarios. There are essentially an infinite number of them. The stubbing-the-toe phenomenon is one we definitely focus on, and one of my goals is to try to avoid that. At the end of the day, it’s really hard to know exactly what people are going to use the development tools and frameworks for.

Scott: Talk to me a little at a really high level about how Microsoft builds software? Where do ideas come from, and how do these get slated for coding? How do they get built? What are some of the things along the process to release and then even to servicing?

Shawn: So traditionally what’s happened is that’s been driven simultaneously bottom-up and top-down. What’s usually happened is that you have teams that have released a prior version of a product. They’ve learned about the space. They looked at the industry. They realize a need by talking to customers in a variety of ways. They start coming up with things they think are going to address the needs of their customer set. They do that via their engineers working with customers across their prior project. They do that via their engineers just having brainstorms about, “Oh my gosh. We could solve this problem this way,” et cetera.

So what ends up happening is that you wind up with a bunch of product ideas early in the product cycle, and people start slating out things that they want to do. We’ve gotten more regimented about this. In the past, it was more like we’d just write everything down that we wanted to do, and we’d start going and doing it. Then, farther down the road, we’d have to start cutting things.

We’ve gotten better about that. We have quite a bit more top-down influence now. Not over specific features, but what ends up happening is that the feature teams have a good read on what they think they need to do. What happens top-down is that we have what are called “pillars” for a given product.

For Visual Studio 2005 one pillar was “Please the VB [Visual Basic] customer.” The VB customer (from the old Visual Basic days) was not terribly thrilled with our VS 2003 and 2002 releases. It didn’t really address their needs in a way that we thought it was going to. For 2005, one of the pillars was to address the needs of the VB customer.

From the top-down we’ll have a few pillars, and the individual teams will need to justify how each one of their features fits into one of those pillars. At that point, there tends to be some agreement on what people go off and build.

The process varies from team-to-team and from division-to-division within Microsoft. In the developer division, the developers and the program managers will sit down and spec out a feature. PMs will write the specs, and the developers will give them technical input. The developers may write prototype, since the best way for most people to learn about a feature is to try and write it.

Then it becomes an iterative process where you refine the specs as you start to develop the product.  As time goes on, resource constraints usually cause you to trim down what you’re going to deliver. You just iterate from there.

Scott: So software a lot of times goes through different milestones, you’ll hear about a product being an M1 or an M2.

Shawn: Yep.

Scott: There are CTPs and there are RCs. What is all that? What’s a layman’s glossary?

Shawn: Usually what happens is similar to Boyle’s Law: work expands to fit the space you give it, much like a gas. So you need to put constraints in there to get things to ship.

One of the ideas of milestones is to force teams to think about their products and their features in manageable chunks. The risk of having somebody go off and crank on a feature unsupervised for months or years at a time means you’re going to have issues. That just doesn’t work. So what you do with milestones is force people to break things into manageable chunks. You make them tightly figure out exactly what the costs are going to be, figure out exactly what the testing recommendations and requirements are going to be, etc.

Usually what happens is that teams take their features for an entire product and break them up into milestones: milestone one (M1) we are going to do this feature, milestone two (M2) we are going to do this feature, etc. At the end of each milestone, you have a mini-release.  A lot of times you do Community Tech Preview (CTP) at the end of a milestone. Usually at the end of a milestone your at a know point where, which is to say the product is at zero active bugs at a certain priority level.  You figure out some filter for your bugs, and you say we’re going to drive to zero at the end of the milestone. Then you start over again with the next milestone.

As milestones go on, you are more and more careful about adding features. Milestones are also used between teams.  If team A needs a feature from team B, team B will do that as an earlier milestone so that team A can pick it up sooner.

Another thing we started to do is add something that we call milestone quality, MQ. Some people also call it M-crit, which is essentially a special milestone where we don’t actually want teams writing code. What we want them to do is make sure their processes work properly. We want them to make sure they’ve cleaned up any bugs that are left over from the prior product cycle, or bugs that have come in after the release of the product, time to improve check-in systems, things like that.

We’ve added this so teams get to focus on their infrastructure, which is a good thing because historically it hasn’t been on the schedule. It’s the old adage where a guy is walking down the path and sees two other guys trying to cut down a tree, and he says to them, “You know guys, that tree would get cut down a lot faster if you would just sharpen that saw you’ve got.” and the guys reply, “We don’t have time to sharpen this saw, we’ve got to get this tree cut down.”

So giving teams a time to really sharpen the saw and improve their efficiency is a good thing. That’s what usually happens in MQ. After that you usually have M0 which is the formal product scheduling and planning milestone and then you roll into the coding milestones – M1, M2 – from there. After that you usually have the Beta and RTM milestones.

Scott: We’re looking at open source and closed source, and Microsoft has obviously decided that a closed source way of doing business makes sense. What’s your impression of why that is? What’s your impression of why Microsoft doesn’t just open source everything?

Shawn: Well there’s a whole set of reasons. This project that I’m running now is an open source project. We’re building on top of the new technologies, and the things we build are actually open source. We are actually doing both. We take customer contributions, the whole bit.

What’s ending up happening, what is starting to evolve, specifically with my team (and we are looking at duplicating the model) is making a hybrid model where you have closed source cores, and open source projects focusing on added customer value, extended components, widgets, and stuff like that. As far as why Microsoft doesn’t go open source, there’s a whole set of reasons for that. I think the number one reason is just around IP pedigree. The issue with open source is that it’s very, very difficult–well it’s impossible–to verify with a hundred percent certainty that every piece of idea in there is licensed properly to be in there.

It’s very difficult for me to know if some developer that contributed to my project saw some code in some other project that he liked, and he picked that code up and dropped it into the project and maybe just tweaked it a little bit.

. “When your organization picks up software, you are taking on some amount of risk that there could be an IP issue with that code. That’s the number one issue that we see with open source. You don’t know how much risk there is, and there is limited, if any, IP protection provided. When people adopt Windows they are provided with

Read more

Ground Rules For Facilitating Analysis And Community Conversations About Software Development Models

Posted on by Carlos Kelly

One recurring question in the IT marketplace today is how does a proprietary software development model compare to an open source development model? What are the trade-off decisions that a software vendor or a customer makes when comparing the two models?

In order to address these questions, Microsoft invited Scott and Sean to look into the process, benefits, and high-level trade-offs associated with proprietary & open-source software development models, which includes not only the development process, but the flexibility, vendor accountability, ecosystem benefits, etc…

Scott and Sean are very excited to be a part of this dialogue to discuss the differences between software developed using closed source and open source development paradigms.

They both have been engaging with industry subject matter experts across various companies to gather information on open source and proprietary software development processes. To be successful, I’ll also need to engage with you. Whether you are involved in closed source projects, open source projects, or both, they would like to hear your thoughts on the issue. Do you love one and hate the other? Why? What do you think are the relative strengths and weaknesses of the two paradigms? As the investigation continues, they also hope that the community will help them refine my findings and help make the project successful.

For the sake of this project, we will define a few ground rules:

Scope of the project

This project will examine the stages of the software delivery lifecycle in an open source vs. a closed source environment. For the purposes of this project, we will define open source software to be software where the source code is available for inspection, modification, and distribution. Closed source software is defined as software where the source is available to few people or organizations, typically the vendor that created the software and possibly their partners under tight non-disclosure agreements.

The findings will be used to highlight the differences in methodology and processes related to quality, security, support etc in each phase of the lifecycle.

The project aims to examine the following questions:

  • How does the idea design differ in an open source and a closed source environment?
  • How does the engineering process differ in the closed vs. the open Source Scenario?
  • How do the two ecosystems differ and what are the implications?

The following aspects will not be examined:

  • How does the Software development life cycle of closed source and open source software differ?
  • Which development model is better?

Output and Methodology

We have set up this forum to facilitate discussion of the effort and will be posting transcripts of our discussion with various experts.

The primary audience for the blog and overall effort are software vendors or customers seeking to better understand the trade-offs associated with commercial closed source (e.g. “proprietary”) software and commercial open source software.

The findings will be based on Community feedback on the blog coupled with:

  • Interviews with key development staff for the selected closed source and open source organizations, and document (via this blog) similarities and trends in the software delivery process in each of the development methodologies.
  • Findings from additional public sources like published interviews, whitepapers, newsgroups, blogs etc.

We will make frequent blog posts with raw findings, allowing the community to comment, refute, or offer supporting evidence regarding the findings. We will also produce and periodically update readers with the aggregate results of the findings. Companies or members of the community performing open and/or closed source development are invited to participate. Microsoft and other software development firms may make employees available for the investigator to interview, and members of the open source community are likewise encouraged to be interviewed to facilitate the investigation.

Now that we have the ground rules, let the discussion begin!

Read more