Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gates: 'You don't need perfect code' for Security

Posted by CmdrTaco on from the no-such-thing-as-perfect-code-anyway dept.

securitas writes "ITBusiness has an interview from the Microsoft Professional Developers Conference where Bill Gates says 'You don't need perfect code to avoid security problems.' Instead he suggests that users acquire and properly configure firewalls and make sure that they keep their software patches up-to-date. Considering that Microsoft says it is focused on security, the comments from the Chief Software Architect aren't inspiring, especially beacuse the underlying attitude seems to contradict the idea of well-written, secure code. What kind of message does that send to the developers who work for Gates?"

3 of 593 comments (clear)

  1. As an SSL developer by Anonymous Coward · · Score: 5, Interesting

    I couldn't agree more.

    Majority of security issues come not from buffer overflows in the application code or similar stuff, but from dumb users clicking on e-mail attachments and downloading wicked screensavers.

    Ever ran Spybot through a typical home user computer? Middle-aged women seem to be the worst offenders, Spybot and Ad-aware have pages and pages of stuff that the user usually isn't aware about.

  2. Security is a process not a state by DeadSea · · Score: 5, Interesting
    There is no such thing as being secure.
    There is no such thing as software without bugs.
    There is no such thing as an operating system without vulnerabilities.
    No scan will find all the holes.
    No firewall will protect you from all attacks.
    No patch will fix all your systems.
    No intrusion detection system will catch all breakins.
    No employee screening process will weed out all the criminals.
    No employee training program will eliminate all employee mistakes.
    Security cannot be purchased.
    Security cannot be achieved.

    The security process is a checklist of items that should be evaluated and expanded periodically.
    Continuously and actively search for vulnerabilities. If the cracker knows about the hole before you do, you have a problem. Run scanners, hire people to test your security.
    Read security advisories, keep systems up to date with the latest patches, consult others who also try try to keep their security bar high.
    Take preventative measures: install a firewall, train employees to use secure practices, implement stricter checks and balances.
    Detect problems with intrusion detection systems. Put up honeypots and tripwires. Enable logging.

    It scares me, but Microsoft is right.

  3. Re:Since when is Bill Gates a security expert? by evilpenguin · · Score: 5, Interesting

    There's a famous quote, wish I could remember who said it (someone leap in with attribution!) (and I'm quoting from memory, so I'm sure I'm misquoting...)

    "It is axiomatic that every program contains at least one bug and can be reduced in size by at least one instruction, therefore, every computer program can be reduced to a single instruction which does not work."

    There's the singularity on your asymptotic curve ;-)