, SecurityFocus 2005-05-09
The software giant bares some of its development struggles in a bid to convince security professionals that the company is taking vulnerabilities seriously.
Expand all |
Post comment
|
Microsoft unveils details of software security process
, SecurityFocus 2005-05-09 The software giant bares some of its development struggles in a bid to convince security professionals that the company is taking vulnerabilities seriously.
Expand all |
Post comment
|
|
|
Privacy Statement |
When MS-ers are giving public presentations and/or making "public disclosures" the vast majority, if not all, of the content is scripted and vetted in advance.
If Ms Snyder really did get lost mid-presentation, that actually says something more than any resume.
On the otherhand, MSofties are, of late, want to publicly say, "There was/is much debate internal to MS about that," whatever *that* happens to be.
Again, any alleged "process" of debate is secondary to the outcomes of saud process. The real world has to be measured and judged on results, not mere "process" and certainly not according to intentions.
Taking away RawSockets in XPSP2 is very likely going to be reversed, probably sometime in June 2005.
RawSockets were taken away in XPSP2 bowing to public pressure mounted in the media and on the Internet, by entities who had their own narrow agendas to pursue.
MS seriously failed to consult with it's own ISVs, and failed to heed the overall majority opinion among agenda-less "MS Partners" who are in the InfoSec field. RawSockets are a legitimate tool/feature.
Whether or not RawSockets are disabled, by default, in XPSP2 and programmatically enable-able for products and users that legitimately require them, is beside the point. The decision to take away RawSockets was Luddite, in the first place.
Let's take a look at the so-called Windows Firewall; about which there is also considerable "debate" internal to MS. MS blows-off (if not flips-off) repeated requests that the Windows Firewall implement egress inspection and filtering. (One MSoftie actually had the gall to say it's because MS doesn't want to be responsible for pestering end users with WF pop-up messages -- as if to say there is no other possible way to configure/administer WF "rule" creation, even though existing WF functionality can be configured through Group Policy.)
Furthermore, the much debated program exclusion features in WF are not based on strong hash-based executable identification; exclusions are issued on filenames. This is ridiculous, given that Program Execution Restrictions elsewhere in XPSP2 can be based on a file hash.
Once, again, this time with WF, MS' cosniderable internal debate is being conducted in a sealed vacuum. And the results are very much lacking, relative to the existing threats and needs.
If MS wants to talk about it's lively internal debate about security, MS would do well to open that debate up; othwerwise, internal debate can result in chasing one's own tail.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/11115/31851#31851