The Buck Stops Where?

When you buy a company's product, you don't just buy the product but a piece of the company's strengths and weaknesses. I just don't happen to think that MS is a software engineering powerhouse, and considering their habit of using scads of consultants rather than employees and their habit of firing 5% of the employees who find themselves at the bottom of their performance reviews every six months, I fully expect that there are vast areas of code that nobody knows what's it's supposed to do anymore. Anyone who thinks that MS cares enough to go through an exhaustive QA process before releasing their patches has got to be seriously self-delusional.

If I were stuck with MS products, the last thing I would do is to rush out and install service and security patches simply because MS makes them available: there is usually no problem that is so bad that you can't make really worse through your own actions. I'd want to wait - assuming that I have the luxury of waiting - until I get confirmation from the grapevine and the trade press that nobody got themselves burned applying them patches. If nobody is keeling over and their legs are not going spastic, then the water is safe to drink.

However, it is one thing to be prudent and deliberately choose not to react until one is sure that the cure is not worse than the disease - MS has occasionally released security patches that actually created new and improved security holes, and another to argue that one does not want to apply the patches because one "does not have the time", and that the "vulnerability will not be a problem for several months at least": this does not sound very professional.

I chose to go into security because I was sick and tired of dealing with dumb netadmins and dumb network engineers - and have to go through this routine of differentiating myself from them in the eyes of my employer or of the client every time I changed jobs. In general, those who chose Microsoft get the punishment that they deserve.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/74/11944#11944

The Buck Stops Where? 2002-04-18
Anonymous

It all comes down to these things. 2002-04-19
Noseman (1 replies)

It all comes down to these things. 2002-04-22
Anonymous

The Buck Stops Where? 2002-04-19
Owen Creger

The Buck Stops Where? 2002-04-19
Sculder

The Buck Stops Where? 2002-04-19
Anonymous

The Buck Stops Where? 2002-04-22
ali abolfathi (1 replies)

The Buck Stops Where? 2002-04-23
Anonymous

Blame the (Em)balmer? 2002-04-23
dave.williams@gte.net (1 replies)

Blame the (Em)balmer? 2002-04-29
Stefan

The Buck Stops Where? 2002-04-23
Jim

The Buck Stops Where? 2002-04-23
blacklight

The Buck Stops Where? -- No, not everyone uses ASP 2002-04-25
Anonymous

The Buck Stops Where? 2002-04-26
Bakdosh

The Buck Stops Where? 2002-04-29
Anonymous (1 replies)

The Buck Stops Where? 2002-05-04
Anonymous

Tim, when is the last time you had to admin more than 50 servers...? 2002-04-30
tarr

The Buck Stops Where? 2002-05-01
Anonymous

The Buck Stops Where? 2002-05-02
Anonymous

The Buck Stops Where? 2002-05-06
Anonymous