Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft No Longer a 'Laughingstock' of Security?

Posted by ryuzaki0 on from the set-the-bar-high-guys dept.

Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"

4 of 282 comments (clear)

  1. A good example - IIS by duplicate-nickname · · Score: 5, Insightful

    I think a good example of this is how many security problems have been found in IIS in recent years. For example, go to the MS Security Bulletin site and look up bulletins for IIS 6.0 compared to IIS 5.0 -- http://www.microsoft.com/technet/security/current.aspx.

    There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.

    --

    ÕÕ

  2. Re:my opinion of MS security by BUL2294 · · Score: 5, Insightful

    Unfortunately, Microsoft's security problems are masked, not fixed. Seriously, software firewalls should not need to exist. All software firewalls do is cripple other code running on the OS (drivers, services, programs, etc). Fix the underlying code and don't default to running services that home users will never need and, presto, no need for a firewall...

    Someone at M$: "XP with IE is full of 'critical' security holes."
    Someone's manager: "Let's write a firewall and we can get away with calling those security holes 'important' and not fix them."

    --
    Windows 3.1x calc: 3.11 - 3.10 = 0.00
  3. Re:Of COURSE they're not the laughing stock... by mattpalmer1086 · · Score: 4, Insightful

    Yes, it is the fault of the OS. No, linux isn't any better in this regard. They all essentially use the multi-user (on a single box), non-networked security models devised in the late 60s and early 70s.

    Why should downloaded (i.e. tainted / potentially unsafe) code have any rights at all except to its own files by default? Should it be able to read your documents, open a network connection and send them out? Should it be able to format your disk? Hell, why even have a globally accessible file system at all?

    We can't improve the users much, so we're going to have to improve the OS. Actually, some of the early security models were much better than the ones we use now, but carried too much overhead for the machines of the day.

  4. Yeah, 'cause clean code is soooo easy to write. by mosel-saar-ruwer · · Score: 4, Insightful


    You know, the little things, like always remembering your </i>, and never forgetting to preview your work.





    Glass houses.

    Projectile stones.

    Whatever.