Welp – just got back from speaking at a couple of events in Dayton, OH. First up was THE Ohio State University security day . . . I delivered my ‘targeted attacks’ presentation which I’ve been doing for over 2 years now (everything’s the same – only the malware changes. :). I got to take a tour of the OSU campus (freaking huge) and meet some of the defenders of the OSU network which was nice. Next up was my presentation at DayCon II on Friday night at the Crowne Plaza in downtown Dayton. I met some real interesting people there (most seemed to be reverse engineers working at the base, and random other security people) and only ONE academic type in the crowd tried to bust my chops at the end with the typical anti-Microsoft rants – first it was Open XML and the fact that it still supports ‘binary parts’ and then after I addressed those concerns it was “Microsoft is so far behind the Unix world with respect to security – why weren’t you programming securely 10-15 years ago?” type arguments. I believe he mentioned he was a professor with a PhD (possibly from Wright State – a college I dropped out of when I joined Microsoft and was forced to move) . . . I pointed out that we do the vast majority of our hiring (if not all of our hiring) for developers from accredited universities and institutions of higher learning and that if there was bad code being written by our folks – it certainly wasn’t “below the standard” of what was being taught at universities 10 or 15 years ago – because we like every other company – hired those universities graduates!! I also pointed out that I had recently attended a C++ refresher course at CPCC (local community college) and was none to surprised to find that the PhD professor I had teaching the class was not at all familiar with buffer overruns (well that’s not true – he knew what they were just not that they could lead to code execution!!) or heap overruns, or fuzzing, or any other interesting aspects of secure coding (but he knew his sorting algorithms and could talk in depth about compilers!). In fact he had me at one point lecture the class for him with respect to things like our own SDL, banned APIs, why they are banned, fuzzing, etc. It was surreal. This was in 2006. I was really glad I went back to school to see how things had changed since I had last taken a programming class (they hadn’t!!).
And having said all of that, it’s a nice segue into this: http://blogs.msdn.com/michael_howard/archive/2008/10/08/safecode-releases-fundamental-practices-for-secure-software-development-document.aspx