Microsoft, Explain Threats to Microsoft

The Microsoft Malware Protection Center recently published their third Security Intelligence Report. The front page of the report says

An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software, focusing on the first half of 2007

Inside it continues:

This report provides an in-depth perspective on software vulnerabilities (both in Microsoft software and third-party software), software exploits (for which there is a related MSRC bulletin), malicious software, and potentially unwanted software. The lists below summarize the key points from each section of the report...

The number of disclosures of new software vulnerabilities across the industry continues to be in the thousands...

Contrast that proper use of the word vulnerabilities in those excerpts with the incorrect use of the word threat in the quotes I noted in Someone Please Explain Threats to Microsoft:

As you go about filling in the threat model threat list, it’s important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team...

When we’re threat modeling, we should ensure that we’ve identified as many of the potential threats as possible (even if you think they’re trivial). At a minimum, the threats we list that we chose to ignore will remain in the document to provide guidance for the future.

In that excerpt, all uses of the word threat should be replaced with the word vulnerability, with possible exception of the term "threat modeling." In reality it should be "attack modeling," but in all other cases Microsoft is clearly talking about discovering holes/flaws/problems in their software, i.e., vulnerabilities.

So, it seems that the people who have the big security picture -- those who write the Microsoft Security Intelligence Reports -- know the difference between a threat and a vulnerability. The developers who focus on Microsoft's software -- those exercising the Microsoft Security Development Lifecycle -- are using "threat" when they should be saying "vulnerability."

It would be good for the SIR people to talk to the SDLC people. Without that coordination Microsoft's developers will continue to view the security problem incorrectly, and by extension, so will the customers who look to Microsoft for intellectual guidance.

On a related note, I was happy to see the latest SIR available as a .pdf.

Comments

Anonymous said…
I hope I live long enough to see how crotchety you are as an old man, Rich.

:^)
1:24 PM
dre said…
Howard says (in The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software), "The meaning of the word threat is much debated. In this book, a threat is defined as an attacker's objective. To some, the threat is the attacker or adversary; we refer to this entity as the threat agent. These definitions are used in the Common Criteria"
7:14 PM
Richard Bejtlich said…
dre,

This is his attempt to sort of acknowledge incorrect use in earlier books but not really change his terminology. I address that direct quote in my review of SDLC.
7:47 PM
Anonymous said…
Gary McGraw and the Cigital crew are just about the only people using that particular definition of threat. Realistically, that's a pretty small (but very vocal) segment of the community. Now, it's perfectly reasonable for you to choose to standardize on McGraw's terminology. However, you come across like a misguided fanatic when you hammer away at Microsoft as if there were any broad-scale acceptance of your preferred terminology.
12:48 AM
Richard Bejtlich said…
Anonymous,

Pull your head out of the software development sand. You'll see there is a bigger security world out there. The digital scene thinks it can sweep away decades or more of security terminology in favor of their warped usage. Kudos to Gary and crew for adopting and explaining these terms correctly.
8:55 AM
Anonymous said…
If your position is as you state you should provide citations from a few corroborating sources. That should be pretty easy if there really are decades of accepted terminology, and it's certainly the more helpful response.
2:25 AM
Richard Bejtlich said…
Anonymous, read previous blog posts. I don't feel compelled to restate my position and supporting documentation every time this issue appears.
8:34 AM
Jim Yuill said…
Richard has done a great job of showing how MS is redefining standard terminology. MS folks are inconsistent in using their own re-definitions, as it's so hard to co-ordinate the feat of redefining standard terms. Imagine if General Motors tried to rename hoods and trunks as doors...

It’s hard to imagine why someone would want to redefine standard terms. On the face of it, it seems like great gall--very arrogant and foolish of MS to even attempt co-opting our language. However, I suspect they have some other motive. When intelligent people inexplicably insist on doing nonsensical things, it can be useful to look for hidden motives.

Richard has another blog post about SDL terminology, and there, an anonymous commenter notes that MS may be avoiding the “V” word (vulnerability) for PR reasons. Also, might MS’s corporate lawyers have banned MS’s use of the “V” word, as it could be used against them in law suits? Imagine a shake-down law-suit in which MS is compelled to admit they ship code with known security “vulnerabilities”, and the jury is clueless about computer security. Would it help MS’s legal-defense if they only have to admit to shipping code with known “threats”.

BTW: on page 102 of SDL, they say that their definition of “threat” is also used in Common Criteria (CC). However, there’s been lots of criticism published about CC--even by MS in the SDL book itself (page 22f)!

Jim
3:12 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more