Slashdot Mirror
Microsoft to Clean Up Code
the_pooh_experience writes "Microsoft has decided to beef up their security group by adding a code cleaning group according to Infoworld. As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'" The new group is called Security Engineering Strategy and while it may seem long overdue to many, it's still a step in the right direction for the folks in Redmond.
Lip service or not, these developers have in their job description to be scapegoats. That is not an enviable position.
Now, if only they would incorporate a business ethics cleaning group, maybe we'll see some progress.
And, yes, please somebody respond to the oxymoronic notion of "business ethics," I'm just begging for it.
If you RTFA, it shows that this is entirely security-oriented, not performance oriented. It seems that "cleaning the code" means "patching makeshift holes over problems" not "making code athletic, slim, and fit"...
Pity.
Small potatoes make the steak look bigger.
Seems like that a "code cleaning group" would be the most poorly efficient way of accomplishing this.
Now I do not write the cleanest code in the world... but when writing with a group, I can take the time and effort to make ultra clean code--especially if my paycheck depended on it!
Why hire somebody else to do _your_ job?
I've never programmed in a huge group before... so maybe I missing the experience to understand.
Davak
Microsoft is a long way from its ultimate goal where users can take security for granted in its products
This is precisely the problem we have now. People already take security for granted (they don't think about it). Their goal should be to beef up security and to educate everyone about the features so that they become more security concious, rather than just take it for granted.
Especially if the clean-up group are not working closely with the original developers.
Fix 1 security hole.
Introduce 100 bugs.
Hmmm.
What is really needed from Microsoft is flat-out redesign, and that means breaking a few eggshells.
The most telling bit from this article: "...the majority of viruses written attack Microsoft products..." Yes, it is certainly true that some of them exploit real bugs, but the majority of viruses target Microsoft software design, not buffer overflows.
I'm willing to bet the code audit team members don't have redesign authority; nor should they. Hopefully, they do have easy access to people who can make the design decisions and can raise issues quickly. Necessary design changes are going to break things.
You can audit the code all day and all night and you will end up with a more secure product in the end. But to solve the real problems with Microsoft security, the product needs to be designed with that security in mind.
It's tempting to dismiss this sort of announcement as "more of the same", "PR spin", and so on. Perhaps it is, but I don't want to get caught when the security spending starts to produce real fruit.
Think about the success of OpenBSD. In terms of security holes it's probably an order of magnitude better than other free operating systems, and Windows. This result was largely obtained through code auditing. If we aren't careful, in a few years, Microsoft will turn the tables on us. The code auditing they've done will have paid off, and we'll have it all still to do (for the typical Linux distribution, OpenBSD is different).
Laughing at your competitors is a risky strategy.
Obviously, MS bashing abounds, but I view this as a good thing.
Working in an environment that is purely MS based on the desktop, with significant MS server infrastructure, I can only applaud any efforts they are making to clear up the mess that is obviously present. No, it's not going to happen overnight - Just as the company I work for is not going to replace all it's investment in MS tech overnight.
Unfortunately, being a developer does not make you a security expert. Some are, others will continue to allow simple flaws, such as buffer overruns, into their code. Having a group of people who focus on security review that code is without a doubt a good thing. While this may not be the potentially rigorous code review that OSS gets, it's better what presently happens at MS.
As for the issue of scapegoats...from an external point of view, getting MS to recognise bugs can be a difficult job at the best of times. Internally, if a group of security "experts" fail to recognise security flaws in a piece of code...then surely they are failing at their job?
Finally, there's been a lot of flaming about the fact that this is yet-another-initiative from MS in the security field. I welcome all of them, in parallel, as moving towards sorting out some of the many issues they have. The less time I have to spend working on patching buggy MS software, the happier I will be.
open source is certainly one way to potentially increase code quality with respect to security. but there are others, including introducing a group within the company to audit exactly that.
there are obvious drawbacks to microsoft opening their source, including a large collapse of their main revenue streams and huge impact on their existence as a company. at least, as microsoft is structured now, opening their source is not a good business decision (no matter your feelings on microsoft as a company).
open source is not the software savior it's often made out to be. all software will not be open source. ever. demanding that every software company do just that is both unreasonable and generally unhelpful. we should be demanding that software companies produce more secure, stable, and user-centered software. however each company chooses to do that shouldn't matter, as long as that end goal is reached.
Here's something to worry about. Does the timing, that the U.S. Gov just instituted a new position for this (the cyber-security chief) which I have already commented on here, seem odd to anyone else?
This looks remarkably like the same type of handwaving smoke and mirror show that the government is trying to put on. "look at us, we're doing something(tm) about security!
makes me wonder if this is microsoft's way of making sure it has a chance to influence what the gov. considers secure.
This comment is fully compliant with RFC 527.
Security is one of the main areas that MS gets blasted for. While the security in their server products has some merits, it's undermined by the bugs that continuously appear and the total lack of lockdown in out-of-the-box config. Their push on security would have to address all these issues - Removing issues from the code prior to shipping, improving their response to the bugs that still appear, locking down products and educating users to unlock them as appropriate, and most importantly of all, concentrating on designing their systems to incorporate security from the start, rather than trying to tack it on later. There's been some movement in some of these areas...but nowhere near enough yet.
So will they do it? You're right in that there is little evidence so far. Given the constant slating they receive in this area, there is certainly a motive to improve it. But given the apparent lifetime of legacy code in Windows, it's not going to show significant results any time soon in that arena. I would suspect it would be more evident in "new" products such as
Trustworthy computing was launched in Jan 2002, there's some info on what they claim to have achieved on their site.
I do agree with you about Clippy tho