http://www.internetwk.com/security02/INW20021024S0004 By Tom Smith October 24, 2002 We've recently looked at the security of Microsoft products from several angles: how the company has lived up to expectations on its Trustworthy Computing initiative, how it's managing the flow of security information to customers, and how individual products are faring from a security perspective. In one of the more recent developments, Microsoft and a security company called GreyMagic are publicly disagreeing over how security flaws should be reported. GreyMagic has reported several holes in Internet Explorer, while Microsoft says it's investigating and third parties should report the flaws to Microsoft for the security of users. What's your view? Take our poll. As a follow-up to our recent Microsoft Progress Report, we asked you in a reader poll to evaluate Microsoft's progress in Trustworthy Computing, its plan to make security a primary design goal in all its products. It's worth noting up front that InternetWeek.com readers have a history of being harder on Microsoft than most vendors, particularly when it comes to responding to online polls. That said, Microsoft received higher marks than one may have expected. Yes, the highest percentage of respondents gave Microsoft one of the two lowest possible scores in our poll, but strong percentages gave them the two highest scores as well. The scores rate the company on its progress in achieving Trustworthy Computing, not the overall security of its products. With that background, here are the poll results as of Thursday morning, with 213 respondents: * 52 respondents or 25 percent said the company has made "no progress." * Another 25 percent said the company has made "little progress." * 28 respondents or 13 percent said things are about the same as they've been. * 39 respondents or 18 percent give the company credit for making "some progress." * 41 respondents or 19 percent said the company has made "great progress." While many readers wrote in with harsh comments, there were also a number of measured comments reflecting a sense that Microsoft is in fact working hard to shore up security, and that big improvements can't happen overnight. Some of the best reader comments follow: No Progress It's inconceivable that anyone -- especially Microsoft -- could claim that the company has made progress on its security initiative when new security warnings are issued almost daily for Microsoft operating systems and applications. Apart from being such a massive target for every hacker on the planet, Microsoft is its own worst enemy: sloppy coding and poorly thought-out features are the norm. When so many enterprises hold off upgrading until Service Pack 1 for a given OS or app release comes out, that's got to tell you something about how many times people have been burned in the past. Get burned enough and pretty soon you stop going near the stove. --Jason Scott, systems and design manager, MaineToday.com, Portland, Maine, jscottat_private Microsoft security is an oxymoron. In its rush to obliterate all opposition, it cut too many corners in the basic underpinnings of its operating system software. In order to become a non-porous OS, Microsoft needs to start from the beginning and make security an integral part of the basic design, instead of an afterthought. Windows had come a long way from being a means to play video games to being a widespread business platform, but the basic foundation for the entire system is still tied to its past. Linux and Unix were designed as serious platforms from the very beginning: Security is a fundamental part of their structure. Usually, one would say that you should not have to continually re-invent the wheel. Microsoft never went through that stage in its growth. Maybe it should re-invent the wheel. --Thomas LeMaster, staff programmer, Ensco Inc., Endicott, N.Y., lemasterat_private No, we aren't there yet! Secure computing is still an idea that has not yet caught on in the mind of your average user. It is the average user who is most vulnerable and the least likely to secure his or her PC, never mind knowing that a real risk to their stuff is a cold reality! The 61 or so security vulnerabilities reported by Microsoft this year aren't issues for Joe and Jane user. They don't even know that these vulnerabilities exist in most cases. Until Joe and Jane have a problem, get hacked, or violated somehow, we will continue to have widespread vulnerabilities in our interconnected universe, which means everyone is less secure. Not that 100 percent secure is achievable, but we can do better. Microsoft still doesn't view security like they do market share. If they applied the same overzealous competitive spirit to ensuring security in their products, think of where we would be right now. Certainly not patching IE and Word for the umpteenth time this year. --Pamela Mahan-Rudolph, technical support manager, Burr Wolff, Houston, prudolphat_private Security Takes Time, Focus Most, if not all, the vulnerabilities we are seeing now are in code written over the past several years. Security does not get fixed overnight or simply by announcing they intend to fix things. The real test will be one to two years out, when we see if they really do take security seriously and make their products more bulletproof out of the box. --Roger Nebel, roger_nebelat_private While their intent (and even their effort) is commendable, they must know that one cannot retrofit software with security. The security must be a part of the design process and be built into the software from inception. With so much flawed code already out here, Microsoft cannot truly give us "Trustworthy Computing." If they were to successfully develop an operating system that were secure (by default) and a suite of secure business and personal applications for home users, their initiative would still fail because the cost of replacing every one of their flawed OSes and applications (and, in many cases, the hardware upon which they operate) would be astronomical. As a business professional, I would love to save my company money by eliminating the cost of securing and patching inherently insecure systems, but replacing an entire infrastructure is beyond the means of most businesses. Try explaining to your CFO that you need to replace all of your operating systems, business apps, and most of the systems that run them (all of which *you* convinced him you needed to buy in the first place) because you want to be part of the Trustworthy Computing initiative. Just make sure that your resume is up to date first. --Michael Hios, manager, information technology, Circle Biomedical, Lexington, Mass., hiosat_private I see Microsoft as being the target of hackers simply because corporate America has adopted their applications and platforms on a widespread basis. This being the case, Microsoft has had to become security-conscious. If they do this with the same focus and attention to detail with which they have undertaken their past endeavors, I believe they will show themselves to be a real force in the security market. Microsoft has always proven extremely responsive to their critics and taken that input and turned it into product revisions. --Steven Rivera, IT business consultant, Jade Systems Corp., New York, striveraat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 04:42:44 PDT