View Single Post
  #3 (permalink)  
Old 24th May, 2012, 10:11 AM
Aedan Aedan is offline
Chief Systems Administrator
Join Date: September 2001
Location: Europe
Posts: 13,075

Windows is orders of magnitude better than it used to be, that is for sure! In fact, there are some features now that I've not seen deployed on any other OS yet - for example, MS have made attempts to mitigate ROP (return orientated programming) attacks. Now this may not be entirely successful, but until DEP (data execution prevention - also known as non-executable pages) and ASLR (address space layout randomisation), ROP was unheard of because attackers didn't need to jump through such hoops.

In terms of code quality, unfortunately Open Source has been found to be poorer than closed source. Veracode have done some interesting work in this area. Disclaimer - I used to work with some of the Veracode guys whilst they were @stake, hence I have some level of respect for them. Veracode do code analysis to identify where there's potential issues within the code. I've attached a couple of images - the first is web apps that meet the OWASP Top 10 on first submission. The second is apps that meet CWE/SANS top 25 on first submission. Note that Open Source code comes out worse in terms of compliance! Also note that web app code generally does worse than non-web app. The report this was pulled from is Veracode's State of Software Security Report Volume 4.
Attached Thumbnails
How to uncover hidden PC activity-owasp-top-ten-on-first-submission.png   How to uncover hidden PC activity-cwe-sans-compliance-first-submission.png  

Last edited by Aedan; 24th May, 2012 at 10:12 AM.
Reply With Quote