[ISN] Readers Rate Microsoft's Security Progress

From: InfoSec News (isnat_private)
Date: Fri Oct 25 2002 - 01:40:14 PDT

  • Next message: InfoSec News: "[ISN] Protecting the Internet's Domain Name System"

    http://www.internetwk.com/security02/INW20021024S0004
    
    By Tom Smith
    October 24, 2002
    
    We've recently looked at the security of Microsoft products from
    several angles: how the company has lived up to expectations on its
    Trustworthy Computing initiative, how it's managing the flow of
    security information to customers, and how individual products are
    faring from a security perspective. In one of the more recent
    developments, Microsoft and a security company called GreyMagic are
    publicly disagreeing over how security flaws should be reported.  
    GreyMagic has reported several holes in Internet Explorer, while
    Microsoft says it's investigating and third parties should report the
    flaws to Microsoft for the security of users. What's your view? Take
    our poll.
    
    As a follow-up to our recent Microsoft Progress Report, we asked you
    in a reader poll to evaluate Microsoft's progress in Trustworthy
    Computing, its plan to make security a primary design goal in all its
    products.
    
    It's worth noting up front that InternetWeek.com readers have a
    history of being harder on Microsoft than most vendors, particularly
    when it comes to responding to online polls. That said, Microsoft
    received higher marks than one may have expected. Yes, the highest
    percentage of respondents gave Microsoft one of the two lowest
    possible scores in our poll, but strong percentages gave them the two
    highest scores as well. The scores rate the company on its progress in
    achieving Trustworthy Computing, not the overall security of its
    products.
    
    With that background, here are the poll results as of Thursday
    morning, with 213 respondents:
    
    * 52 respondents or 25 percent said the company has made "no
      progress."
    
    * Another 25 percent said the company has made "little progress."
    
    * 28 respondents or 13 percent said things are about the same as
      they've been.
    
    * 39 respondents or 18 percent give the company credit for making
      "some progress."
    
    * 41 respondents or 19 percent said the company has made "great
      progress."
    
    While many readers wrote in with harsh comments, there were also a
    number of measured comments reflecting a sense that Microsoft is in
    fact working hard to shore up security, and that big improvements
    can't happen overnight.
    
    Some of the best reader comments follow:
    
    No Progress It's inconceivable that anyone -- especially Microsoft --
    could claim that the company has made progress on its security
    initiative when new security warnings are issued almost daily for
    Microsoft operating systems and applications. Apart from being such a
    massive target for every hacker on the planet, Microsoft is its own
    worst enemy: sloppy coding and poorly thought-out features are the
    norm. When so many enterprises hold off upgrading until Service Pack 1
    for a given OS or app release comes out, that's got to tell you
    something about how many times people have been burned in the past.  
    Get burned enough and pretty soon you stop going near the stove.  
    --Jason Scott, systems and design manager, MaineToday.com, Portland,
    Maine, jscottat_private
    
    Microsoft security is an oxymoron. In its rush to obliterate all
    opposition, it cut too many corners in the basic underpinnings of its
    operating system software. In order to become a non-porous OS,
    Microsoft needs to start from the beginning and make security an
    integral part of the basic design, instead of an afterthought. Windows
    had come a long way from being a means to play video games to being a
    widespread business platform, but the basic foundation for the entire
    system is still tied to its past. Linux and Unix were designed as
    serious platforms from the very beginning: Security is a fundamental
    part of their structure. Usually, one would say that you should not
    have to continually re-invent the wheel. Microsoft never went through
    that stage in its growth. Maybe it should re-invent the wheel.  
    --Thomas LeMaster, staff programmer, Ensco Inc., Endicott, N.Y.,
    lemasterat_private
    
    No, we aren't there yet! Secure computing is still an idea that has
    not yet caught on in the mind of your average user. It is the average
    user who is most vulnerable and the least likely to secure his or her
    PC, never mind knowing that a real risk to their stuff is a cold
    reality! The 61 or so security vulnerabilities reported by Microsoft
    this year aren't issues for Joe and Jane user. They don't even know
    that these vulnerabilities exist in most cases. Until Joe and Jane
    have a problem, get hacked, or violated somehow, we will continue to
    have widespread vulnerabilities in our interconnected universe, which
    means everyone is less secure. Not that 100 percent secure is
    achievable, but we can do better. Microsoft still doesn't view
    security like they do market share. If they applied the same
    overzealous competitive spirit to ensuring security in their products,
    think of where we would be right now. Certainly not patching IE and
    Word for the umpteenth time this year. --Pamela Mahan-Rudolph,
    technical support manager, Burr Wolff, Houston, prudolphat_private
    
    Security Takes Time, Focus Most, if not all, the vulnerabilities we
    are seeing now are in code written over the past several years.  
    Security does not get fixed overnight or simply by announcing they
    intend to fix things. The real test will be one to two years out, when
    we see if they really do take security seriously and make their
    products more bulletproof out of the box. --Roger Nebel,
    roger_nebelat_private
    
    While their intent (and even their effort) is commendable, they must
    know that one cannot retrofit software with security. The security
    must be a part of the design process and be built into the software
    from inception. With so much flawed code already out here, Microsoft
    cannot truly give us "Trustworthy Computing." If they were to
    successfully develop an operating system that were secure (by default)  
    and a suite of secure business and personal applications for home
    users, their initiative would still fail because the cost of replacing
    every one of their flawed OSes and applications (and, in many cases,
    the hardware upon which they operate) would be astronomical. As a
    business professional, I would love to save my company money by
    eliminating the cost of securing and patching inherently insecure
    systems, but replacing an entire infrastructure is beyond the means of
    most businesses. Try explaining to your CFO that you need to replace
    all of your operating systems, business apps, and most of the systems
    that run them (all of which *you* convinced him you needed to buy in
    the first place) because you want to be part of the Trustworthy
    Computing initiative. Just make sure that your resume is up to date
    first. --Michael Hios, manager, information technology, Circle
    Biomedical, Lexington, Mass., hiosat_private
    
    I see Microsoft as being the target of hackers simply because
    corporate America has adopted their applications and platforms on a
    widespread basis. This being the case, Microsoft has had to become
    security-conscious. If they do this with the same focus and attention
    to detail with which they have undertaken their past endeavors, I
    believe they will show themselves to be a real force in the security
    market. Microsoft has always proven extremely responsive to their
    critics and taken that input and turned it into product revisions.  
    --Steven Rivera, IT business consultant, Jade Systems Corp., New York,
    striveraat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 04:42:44 PDT