, SecurityFocus 2002-01-24
A guide to judging Microsoft's security progress.
Expand all |
Post comment
Results, Not Resolutions
2002-01-24
David Litchfield (2 replies)
David Litchfield (2 replies)
Well, to conclude: Use Java, M$
2002-01-25
Anonymous (1 replies)
Anonymous (1 replies)
Oh, Microsoft is reading this all right. They are very good at keeping track of things said about them. And the authors could hardly be more disinguished on this topic.
I would guess that Microsoft would take this excellent, unsolicited advice as unwelcome, however. The letter from MS regarding security is more marketing than real intent, that is, unless they are willing to take the heart of the "Results, Not Resolutions" article to bear on their products.
Specific suggestions such as registry and SOAP discussions aside, the key theme is "Complexity is the enemy of security." I would add secrecy as yet another foe. Microsoft does not want to consider this, however, because Microsoft strategy and marketing is the anathema to simplicity and openness in their products, and these are entirely too deeply ingrained to change.
Is there no hope, then? Bruce Schneier's own "Secrets and Lies" seems to imply this, much as he tries to temper the message at the end. And possibly by co-authoring this letter, he is trying to get the word out, just in case MS developers whose bonuses are now on the line security-wise are skipping what should be required reading. The upper management of Microsoft seem to be aware that integrating security in their products from the start will be a culture change, possibly one goal of the open letter besides marketing.
However, the most likely result of this will be that crackers will just redouble their efforts to find bugs. After all, now they can not only get some cred, but they can personally effect how some of the hated MS developers are actually paid, as a reward for their efforts.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/315/10102#10102