Shostack + Friends Blog Archive


Talking to OEMs

My co-worker Mike Howard posted “Microsoft hosts OEM partners for a crash-course in SDL (Day One)

As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM partners – over 50 senior technical experts from the biggest names in the computer industry. Out of respect for our partners I won’t name names, but the “usual suspects” are in attendance. There was also representation from the chipset manufacturers and hardware component suppliers to the OEMs. The discussions are technical and to their credit, the participating companies sent their “A teams” to learn about the SDL process and how they can use it within their organizations.

We are presenting the same content that we give to our own engineers on a variety of SDL topics. Matt Thomlinson provided the opening remarks and some historical context around the security efforts at Microsoft. Shawn Hernan provided the actual “introduction” to the SDL – explaining the process – what we do, why we do it, and data showing our results to date. After that, Adam Shostack presented an in-depth session on Threat Modeling – an integral part of the SDL. I taught a lively 3-hr session on Secure Coding (go figure!) and we ended the day with a talk by Dan Kaminsky of IOActive on the “hacker viewpoint” – essentially a discussion of the Vista security efforts and his views on the next targets of opportunity for the hacker community. All in all it was a great first day – lucid questions and insightful feedback.

This has been a really interesting event–the conversations I’m having are fascinating, and I’ll have more to say about this shortly, but I need to run to catch today’s talks.

Also, we now return you to your regularly scheduled topics of security, privacy, liberty, and giant elephants that are fun to watch.