{"id":1940,"date":"2010-10-07T09:03:42","date_gmt":"2010-10-07T16:03:42","guid":{"rendered":"http:\/\/www.talesfromthe.net\/jon\/?p=1940"},"modified":"2010-10-07T09:03:42","modified_gmt":"2010-10-07T16:03:42","slug":"what-can-diaspora-learn-about-security-from-microsoft","status":"publish","type":"post","link":"https:\/\/2024.thenexus.today\/index.php\/2010\/10\/07\/what-can-diaspora-learn-about-security-from-microsoft\/","title":{"rendered":"What can Diaspora learn about security from Microsoft? (FIRST DRAFT)"},"content":{"rendered":"

\"\"It’s counter-intuitive to think of Microsoft as a poster child for security.\u00c2\u00a0 But the progress they’ve made since 2001 along with the challenges they continue to face have a lot of lessons for anybody in this space — including Diaspora, the “privacy-aware, personally-controlled, open-source, do-it-all social network”.<\/p>\n

Several of the comments on my previous post Diaspora: what next?<\/a> were from former colleagues at Microsoft, and they made excellent points.\u00c2\u00a0 Here’s my attempt to build on the list that Adam, Jason, and Alem started off.
\n<\/p>\n

    \n
  1. Train the developers — and the designers and quality engineers too.\u00c2\u00a0 Secure software\u00c2\u00a0 is everybody’s responsibility.\u00c2\u00a0 Secure programming still isn’t covered in any detail in most undergraduate or graduate programs, so just like Microsoft discovered a decade ago, most developers don’t know the basic practices.<\/li>\n
  2. Inspect the code.\u00c2\u00a0 Formal multi-role code reviews are very expensive, but fortunately Diaspora’s code base is small.<\/li>\n
  3. Do threat modeling.\u00c2\u00a0\u00c2\u00a0 If you don’t know what the threats are, how can you claim that your system protects privacy?\u00c2\u00a0 It’s fun, too!<\/a><\/li>\n
  4. Use the tools — and develop ones that don’t exist.\u00c2\u00a0 There are some excellent specification and unit testing tools in the Ruby environment (Cucumber, RSpec, Selenium).\u00c2\u00a0 There are also some holes, for example static analysis, fuzzing, and attack surface estimation.\u00c2\u00a0 This is a great chance for the broader Diaspora community to get involved and supplement the core team.<\/li>\n
  5. Include security in the software lifecycle.\u00c2\u00a0 As Wayne Ariola pointed out in a comment, Diaspora’s current “find-and-fix” approach mirrors industry mindset … and it doesn’t work. Microsoft’s SDL, which has been steadily refined over the years (see last fall’s discussion of Agile SD<\/a>), and projects using the SDL from the beginning are noticeably more secure.\u00c2\u00a0 There are other secure development processes as well which may be a better match for Diaspora.\u00c2\u00a0 The important thing is to choose one and then take it seriously.<\/li>\n
  6. Be wary of legacy code.\u00c2\u00a0 If security isn’t designed in up front, it’s incredibly expensive to retrofit it and you’re going to miss a lot.\u00c2\u00a0 Given the gaping security holes in the developer preview release, and the small code base so far, Diaspora should consider a rewrite rather than incrementally trying to make it work.<\/li>\n
  7. Reach out to the security community.\u00c2\u00a0\u00c2\u00a0 Microsoft used to treat security researchers as the enemy, and minimize communication about security issues.\u00c2\u00a0\u00c2\u00a0 By engaging with their critics, and providing a lot more information, they’ve learned a lot about how to improve their security — and also helped shift others’ perception of Microsoft.\u00c2\u00a0 Diaspora’s in a completely different situation, of course, an outsider with zero market share facing a powerful incumbent, so they won’t be hosting events like Blue Hat<\/a> any time soon.\u00c2\u00a0 Then again unlike Microsoft back in the day, a lot of people are rooting for them and want to help.<\/li>\n<\/ol>\n

    Obviously this first cut is biased by my experiences and perspectives, so I’m very curious what others think.\u00c2\u00a0 I’m working on a short presentation on this and will post it her once it’s ready.<\/p>\n

    Thanks!<\/p>\n

    jon<\/p>\n","protected":false},"excerpt":{"rendered":"

    It\u00e2\u20ac\u2122s counter-intuitive to think of Microsoft as a poster child for security. But the progress they\u00e2\u20ac\u2122ve made since 2001 along with the challenges they continue to face have a lot of lessons for anybody in this space \u00e2\u20ac\u201d including Diaspora, the \u00e2\u20ac\u0153privacy-aware, personally-controlled, open-source, do-it-all social network\u00e2\u20ac\u009d.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[108,216,313],"class_list":["post-1940","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-diaspora","tag-microsoft","tag-security"],"_links":{"self":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/1940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/comments?post=1940"}],"version-history":[{"count":0,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/1940\/revisions"}],"wp:attachment":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/media?parent=1940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/categories?post=1940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/tags?post=1940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}