Microsoft No Longer a 'Laughingstock' of Security?

Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"

rear-view mirror

Inasmuch as this constitutes any sort of admission that Microsoft products were not always exemplars of good security, it should not be forgotten that Microsoft has always insisted that they were.

So really, they are not saying anything different than they have always said. "Back then" when their products were insecure, they insisted that their products were secure. Now, they are admitting that "back then" their products were not secure, and are continuing to insist that their products are secure.

Why should we believe them? Once bitten, twice shy, and with good reason.

I say, set a standard

[downix]

I'm thinking (in part to stroke Theo's ego a bit) set OpenBSD as the security standard out there. Every OS, compare it security-wise to OpenBSD. Put a "percentage" for how secure, then we can see hard numbers for how securly an OS is out of the box.

Re:A good example - IIS

[asuffield]

There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.

You do realise that you are measuring the "quality" of IIS by counting the number of security flaws that Microsoft will admit to having fixed?

You're not counting the number of known flaws. You're not counting the number of flaws that Microsoft knows about. You're not even counting the number of flaws that they've actually fixed. You're interpreting this change in the numbers as indicating an improvement, when it might just as easily indicate that they fix less flaws than they used to.

And don't forget that Microsoft has a long history of not bothering to fix security flaws until significant numbers of exploits have been noticed in the wild. We can only guess at how many unfixed flaws there are in IIS today.

Re:MIcrosoft guy says MS's security is ok?

[TheRaven64]

SunOS was famously insecure, as was Irix. Why pick on just two vendors. It wasn't until the '90s that anyone could say 'UNIX security' without laughing. Take a look at the CVS logs from the first year of the OpenBSD project, when they first did a full audit on code much of which dated back to the original BSD UNIX, used as a base by a lot of commercial UNIX vendors and found hundreds of vulnerabilities. Now, OpenBSD enjoys a good reputation for security, but it's taken over a decade of continuous code auditing to get there.