Recently, someone at Cigital asked me to characterize the difference between our approach to software security and Microsoft’s. Before I get to comparing things I want to note that we’re big fans of Microsoft when it comes to software security. Under the leadership of Michael Howard and Steve Lipner, Microsoft has made great progress in software security over the last few years. There are many lessons that we can all learn from what they’re doing.

That said, Microsoft’s approach to software security does differ from ours in a few fundamental ways that are worth discussing.

The biggest difference to highlight is that their approach has a static threat model that is great for operating system vendors. People in other sectors such as finance or hospitality will not have the same kind of threats that Microsoft does. In this case, what I mean by threat is an actor or agent who causes risk. That is, your possible attacker(s). Building a threat model that is tailored for a customer is a key aspect of our approach at Cigital. Microsoft has already done this for their business, but chances are you are not an operating system vendor.

At the heart of Cigital’s approach to software security are a number of best practices that we call the touchpoints. You can read about the touchpoints in my book Software Security. The top two touchpoints are “Architectural Risk Analysis” which helps uncover and mitigate flaws at the design and architecture level, and “Code Review with a Static Analysis Tool” which helps ferret out bugs in code at the implementation level.

Our approach to Architectural Risk Analysis is much better suited to finding new risks not yet ever seen before than Microsoft’s list-based approach. Undiscovered new risks are the kinds of things that lead to 0days and help you to wind up on the front page of the Wall Street Journal. Our three-phase analysis goes way past Microsoft’s STRIDE model with regard to dependencies and ambiguities. Our approach to risk is much more sophisticated and grounded in business as well. The reasons for this probably have to do with having to demonstrate to our customers the importance of the things we’re finding. By contrast, Microsoft doesn’t need to be convinced to fix security problems, Bill Gates already said that they have to.

When it comes to code review, Microsoft and Cigital approaches are similar, but Microsoft leverages proprietary unreleased tools that are not available outside of Microsoft. (Many of you will have heard of Prefix…Prefast, now available with some Microsoft compilers, is not the same thing.) The Cigital approach leverages customizable commercial tools and a best of breed approach. We often use Fortify’s supremely good static analysis tool, but we have been known to wield Coverity’s tool and Klokwork’s tool as well, depending on the situation. In both cases, however, the use of a static analysis tool to find bugs is absolutely critical.

Our approach to security testing is much more white box than Microsoft’s is, and involves using the risks uncovered during Architectural Risk Analysis to drive inside-out test planning. Microsoft’s approach is grammar driven and focused on APIs. The fact that James Whittaker now works for Microsoft is likely to help to evolve Microsoft’s approach to security testing, but James has a tendency to start with API fault injection as well (see his great book How to Break Software Security).

As far as I know, Microsoft does next to nothing at the requirements level. At Cigital, we have a decent approach to security requirements that covers both functional security mechanisms and abuse cases.

There are many other differences between our approaches, but those are the highlights. The most interesting thing is just how closely aligned the two approaches are.

Technorati Tags: software security, microsoft, stride, sdl

Welcome to Cigital’s brand new software security and software quality blog. That’s right, after ranting and raving in other forums for over a decade, we’ve decided to take it to the Web. Let’s call this blog “Justice League.” We’re glad you’re here.

It’s customary start a blog with administrivia, and this one should be no exception. Justice League will be a joint production of all of the Principal Consultants at Cigital. So, yes, it’s a corporate blog (wah wah waaah) but we promise that it will not suck. We’ll be passing the baton around like a hot potato. “No after you.” “Please, after you.” Somehow I ended up with the potato first.

I guess it’s my job to set the stage and introduce your cast. Many of you know me from my external speaking and writing. I’m Gary McGraw, CTO of Cigital, author of a big pile of books on software security, and host of the Silver Bullet Security Podcast. In my secret other life I am the fiddler for Where’s Aubrey.

Joining me to produce this blog will be <insert drumroll here>:

• Pravir Chandra. Pravir joined the Cigital team from Secure Software where he was Co-Founder and Chief Security Architect. Pravir is best known for his work on CLASP and for running an Operations Security group at AOL. Slightly lesser known is that Pravir was once a research associate at Cigital about a million years ago. In addition to being one of the top minds in the world in software security, Pravir is super nice, brilliant, and loads of fun.
• Scott Matsumoto. The great thing about Scott is that he brings 20 years of hard core commercial development experience to the team. Scott has served as CTO of both Spring Street Networks and Xtremesoft (where he was a co-founder as well). Scott is a seasoned software architect and a database guru. Scott is as self-effacing as he is experienced, but don’t let him fool you—he’s sneaky, clever, patient, and has attained the Buddha calm.
• Sammy Migues. Sammy has a long storied career in security stretching back before I was born (ok, not really). Sammy contributed to the infamous Rainbow Books (thanks, man), helped to invent the concept of software assurance, and has been applying knowledge management techniques to computer security for a decade. Sammy was the Chief Scientist of iDefense and Principal Scientist at Cybertrust before he joined Cigital. Sammy escaped from Louisiana in a similar fashion to my escape from Tennessee-we both found a pair of shoes and slipped across the border.
• Craig Miller. Craig really does have computer science bone fides stretching back to before I was born! In fact, he is the most seasoned technical veteran in the firm. Craig has been Chief Scientist of SAIC, CTO of Proxicom, North American CTO and Global Chief Architect of Dimension Data, and a bunch of other things. Like me, he’s a Dr. of something or other. He’s also a music fanatic, a yarn teller, and a jolly good fellow.
• John Steven. The infamous John Steven (or jS as I call him) has been with Cigital for many years. John is my right hand man, and is one of the main reasons that my job rocks. John’s knowledge of Java goes as deep as the inner workings of the VM and gets as lofty as architectural patterns for MVC’s in J2EE. John is intense, intelligent, and introspective. He also has just a few opinions.

Together, we plan to cover lots of ground in software security and software quality in this blog. We’re hoping for a dialog, so please tell us what you like, call us on the baloney, throw us the occasional bone, and generally enjoy yourself. We aim to have fun with this blog in an open interactive way.

My friends who run blogs—including my girlfriend from high school, all my buds at Fortify Software and my friend Jon Udell (who has been blogging basically forever)—all keep their entries short and personal. We’ll try to emulate them.

For the first few weeks, expect a new post every 2-3 days. First up is John Steven. Hey man, catch the potato…

Technorati Tags: software security