News Article: Microsoft To Teach About Secure Code

[Ehtyar]

Stunningly, Microsoft apparently considers itself in a position to teach others how to code securely.

After spending four years as an internal process for designing secure programs from the ground up, Microsoft's Secure Development Lifecycle could soon go mainstream.

The company on Tuesday unveiled plans to help other organizations adopt comprehensive secure coding practices through three initiatives that will go live sometime in November. The company is billing them as a way to bring SDL practices to the development masses.

Full Story

Ehtyar.

[f0dder]

There's actually a whole bunch of people at Microsoft who aren't shabby at writing secure code, doing research, et cetera. The problem is that it's a huge frigging company, and not all areas of the OS gets scrutinized well enough - not to mention that there's old codebases that could use a fair amount of review.

But that's what we get for sticking with C and character arrays, instead of moving to at least C++ and std::string

[Stoic Joker]

But that's what we get for sticking with C and character arrays, instead of moving to at least C++ and std::string

-f0dder (September 17, 2008, 05:55 PM)

Hay, was that aimed at me...?

[f0dder]

But that's what we get for sticking with C and character arrays, instead of moving to at least C++ and std::string

-f0dder (September 17, 2008, 05:55 PM)

Hay, was that aimed at me...?

-Stoic Joker (September 17, 2008, 06:58 PM)

Nah

I do wonder why a lot of people (especially in the opensource community *rolleyes*) are clinging on to C code with cryptic short identifiers, use of zero-terminated strings and str* functions, and more or less spaghetti code. There really isn't much excuse for this (the C part can be justified if you need to be über-portable, but at least apply OOP principles and don't user str* functions, always pass buffer lengths, etc.)