[ISN] Microsoft's Report Card

From: InfoSec News (isnat_private)
Date: Mon Jan 13 2003 - 23:00:15 PST

  • Next message: InfoSec News: "[ISN] How Sharing Thwarts Hacks"

    http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,77462,00.html
    
    By CAROL SLIWA 
    JANUARY 13, 2003
    Computerworld
    
    Grades ranged from B+ to D- when Computerworld asked IT managers, 
    analysts and security professionals to rate Microsoft's progress on 
    its Trustworthy Computing initiative during the past year. Excerpts 
    follow: 
    
    * Charles Emery, senior vice president and CIO, Horizon Blue Cross 
      Blue Shield, Newark, N.J.
    
    Grade: B
    
    Reason: "The automatic updates within the operating system are helpful
    and timely. Anything that receives as much focus as Microsoft is
    giving this issue is bound to improve, but sadly, there are people who
    are constantly trying to find new ways to break in."
    
    
    --------------------------------------------------------------------------------
    
    * Paul Lanham, senior vice president and CTO, Jones Apparel Group, 
      Bristol, Pa.
    
    Grade: D
    
    Reason: "In the short term, I wouldn't give Microsoft high marks for 
    now focusing on security issues that should have been embedded in 
    their development process to begin with. They have a lot of history to 
    deal with in the short term. Of course, it's easy to criticize their 
    current state, but they at least get a good grade for recognizing the 
    current reality that their market position could erode if basic 
    measures in this area are not undertaken."
    
    
    --------------------------------------------------------------------------------
    
    * Andre Mendes, chief technology integration officer, the Public 
      Broadcasting Service, Alexandria, Va.
    
    Grade: B+
    
    Reason: "On one side, they have obviously identified a lot of the 
    problems that existed with their legacy environments and have 
    aggressively addressed them. On the other side, there were a couple of 
    occasions where they still reverted to minimizing the criticality of 
    some of the holes."
    
    
    --------------------------------------------------------------------------------
    
    * Russ Cooper, security consultant, TruSecure Corp., Herndon, Va.
    
    Grade: D-
    
    Reason: "In my opinion, Microsoft hasn't made any perceivable progress 
    in the last 12 months with respect to security. The security bulletin 
    process has been up and down. Their responsiveness has been good and 
    bad. Windows Update has been augmented by a lame sister known as 
    Software Update Services."
    
    
    --------------------------------------------------------------------------------
    
    * Jason Fossen, a SANS Institute lecturer and president of Fossen 
      Networking & Security, a Windows security consultancy.
    
    Grade: B+
    
    Reason: "Never before have Microsoft's future profits been so at risk 
    by the security or insecurity of their products. Microsoft's entire 
    XML/SOAP/.Net project to make the Web services business model a 
    reality will sink if IT decision-makers believe it is insecure. 
    Microsoft is betting the farm on .Net Web services; hence, they're 
    motivated to shape up, and so far, they're following through."
    
    
    --------------------------------------------------------------------------------
    
    * Marc Maiffret, co-founder and chief hacking officer, eEye Digital 
      Security, Aliso Viejo, Calif.
    
    Grade: B
    
    Reason: "At least when Microsoft makes a claim that they are doing 
    something about security, they are making a little bit of effort. I 
    wouldn't say it's enough to where it needs to be. But the effort 
    they're putting into it is far more than other companies out there. 
    I'd give almost every software company out there an F."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 01:16:15 PST