A few things to keep in mind about Scott's essay: In a large company like Microsoft, there are many competing interests. Scott likely has no where near the influence on product security that he would like. I've been a corporate security guy for a large software company (not Microsoft.) I had reasonable influence over the IT infrastructure's security, and absolutely 0 over the product security. The two just weren't related. My understanding is that Scott has some degree of both, but that he has much more control over things like responding to reports, driving patches, helping with services packs, etc... and probably a little over actual product development. I know several of the guys in various Microsoft security groups, and they actually want to improve the product, and they actually know what they are doing. Having said that, they get to say very little about how to improve the development process, unless security becomes Microsoft's #1 marketing item. Yes, this is akin to closing the barn door several years after the horses have run away. Microsoft clearly cares more now about security after the worms, but think about what this means for product development. XP is done and out the door. The next whatever is halfway done. If security takes new development rules for development, we're looking at Windows 2005 before they show up. I'm not apologizing for Microsoft. I'm simply trying to point out that there is a way that Scott could be sincere, and Microsoft could act they way they do, and both can appear in the same company. And of course, given the list I run, my opinion is that Scott's opinion is misguided. But then I'm not willing to be the guy who has to answer for Microsoft's shortcomings, either. BB
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 13:53:08 PDT