Even though the vulnerability counts have dropped, the number of vulnerabilities is not zero. And, even in my wildest dreams, I do not think we will get to zero. I will explain why shortly. In the very early days of the SDL, Microsoft focused heavily on removing design and code-level security vulnerabilities; as we progressed, we added processes that help reduce the chance that new vulnerabilities get added to the software.
Examples of implementation requirements in the SDL include:
* Use of code analysis tools on developer’s desktops to find security vulnerabilities.
* Removing known insecure functions (such as the C runtime strcpy and strncpy functions).
* Migrating weak cryptographic algorithms to more robust algorithms (such as Data Encryption Standard to Advanced Encryption Standard, Secure Hash Algorithm (SHA)-1 to SHA-256). STSC CrossTalk – Practical Defense in Depth – Sep 2008
From around the Web
- Gmail to drop IE6 support this year
- Older IE Versions Maintain Sizable Market Share Despite Security Concerns
- Google Chrome 4 Bolsters Browser Security with New Features
- 10 Reasons Why Microsoft Should Have Discussed Security At CES
- How three vendors screwed up USB stick security
- 94 more secret Windows shortcuts
- Facebook CEO: Privacy Not the Social Norm
- More flash drive firms warn of security flaw; NIST investigates
- The ultimate God Mode list: 39 secret Windows 7 shortcuts
- Microsoft, Adobe prep critical security patches
- Mozilla fixes upgrade flaw in Firefox
- Chrome grabs market share from IE and Firefox, passes Safari
- Facebook enhances privacy settings
- Windows 7 tricks: 20 top tips and tweaks
- The ABCs of securing your Windows netbook