Bug-Zapping, Microsoft Style
from the fixing-bugs-all-day-long dept
Microsoft is certainly making a big show of how they're making their software more secure. The question is how much of it is marketing, and how much of it is real. On the marketing side, they have someone who's job it is to go out and respond to Microsoft bashers about their security (assuming those bashers write for a major publication, it appears). This article in Business Week lets the guy respond to some criticisms of Microsoft's security, where he basically says (1) they're getting more secure by using automated bug catchers and (2) they really have fewer security problems than other vendors. Neither one of these points makes me feel any more comfortable. While I'm sure automated bug catchers help, you have the same "automation" problem you find with things like a spell-checker. Studies have shown that good writers who use spell-checkers begin to rely on them, and their writing ability decreases. I could see the same thing happening in the coding process. Since they have these automated bug catchers, will people architecting the program be as careful? And will they start to just get lazy and rely on the automated bug catchers? As for the comparison to other operating systems, I don't think that really matters. This isn't a contest. Also, simply looking at the total number of CERT advisories doesn't compare how serious the problems are or how many people are impacted by them. In the end, I do agree with the Business Week writer. I'm sure Microsoft is trying very hard to increase the security of their code. That's very different than saying they've actually made their systems secure.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
No Subject Given
[ link to this | view in chronology ]
my comments
2) Mike Nash is a marketing guy. I'm sure he's real smart, but when he talks about the Microsoft development process, he does not know precisely what he is talking about.
3) I notice he did not respond to the issue of moving the HTTP server into the kernel...really it doesn't matter if Microsoft is moving it into the kernel, out of the kernel, or sideways within the kernel. The problem is they are doing something to the code, and that is going to mean new vulnerabilities. It's like the dinosaurs in Jurassic Park when the Jeff Goldblum character talks about them; it's not a question of if the dinosaurs are going to escape, it's just when and how. Until Microsoft stops doinking around with its code (which will be never, since it has to keep selling upgrades), the code will not stabilize.
More rambling on MS development issues:
http://www.osopinion.com/perl/story/14306.html
- adam
[ link to this | view in chronology ]