Notes from RSA2008
April 16, 2008
As I said in my previous post, I would have loved to have gone to the RSA conf this year (plenty of people to catch up with, even if I only could get into the expo hall), but I’ve been away on travel. In any case, Jon Pincus, all round smart guy, brainiac, and I’ve had the pleasure of chatting with on numerous occations (who also I’m a big fan of, even though I linked to one of his posts and [mis]abeled him as a “fan” – once again, apologies if that was taken the wrong way) was there and has two fantastic posts with some great insights.
For people that don’t know Jon, he is the brains behind PreFix (and PreFast, the internal MSFT version) which Microsoft acquired with Intrinsa, Jon’s previous company), and played a big part in the change of security direction at MSFT, so with that kind of pedgree I’m always interested in his thoughts on what the security industry looks like to him, and no-one knows the static analyzer field better than him, so who better to comment on it.
On the whole, some great insights, and Jon has hit on a couple of things I’ve been thinking about (and trying to do inside Foundstone at least) for a while. a) a “standardized” issue/bug/finding format that tool and manual output can both use to get a combined view of the system under test (which BTW we are very close to for our internal tool(s) and manual processes – just lots of XSLT development for other tools!) and b) getting tool vendors, consultants, security service customers, etc, talking and align their interests. I feel that (a) is much more likely that (b), but would welcome (and love to be a part of) either of these efforts.
Posted in 
April 16th, 2008 at 12:26 pm
jon said:Mike,
I was amused by the fan comment, but certainly not offended
Agreed that (a)’s more likely than (b) — and more than we accomplished at Microsoft back in the days I was working on the tools there.
Actually, PREfast (along with FxCop) has been available in Visual Studio since VS2005 — it’s the /analyze compiler option. [Before that, our joke was that PREfix was difficult enough to deploy that it often required an in-person consultant, and we just couldn't figure out a way to fit him or her into the VS box.] One of the interesting business challenges in static analysis is the presence of high-quality tools like these that come with the development enviroment — and like FindBugs (for Java) that are open source. On the other hand, from the software engineering perspective this is goodness — both because the price is right, and because it pushes static analysis companies to add more powerful functionality and improve usability so that people will actually pay money.
jon
April 17th, 2008 at 10:35 pm
Mike said:Thanks for the correction Jon – I always get confused which version is which (PREFix vs PREFast)
Any kind of push for tools to end developers is “goodness” – they are the ones closest to the code, and more likely to understand the context of what it’s doing, as well has having a much more “limited” view of the entire codebase which makes managing the output of these tools (like the often explosion of results).
I’m my experience though, the best way of helping devs write more secure apps is to limit the ways they can shoot themselves in the foot. Banning “dangerous” APIs (although strcpy isn’t inherently “bad”, it’s one of those functions where there are less dangerous alternatives) is one way, as is adding “protection” measures (like NX, ASLR, anti-XSS, etc, etc) into the platform – something that Microsoft has done very successfully IMO.