Readers Rate Microsoft's Security Progress

[InfoSec News <isn () c4i org>]

http://www.internetwk.com/security02/INW20021024S0004

By Tom Smith
October 24, 2002

We've recently looked at the security of Microsoft products from
several angles: how the company has lived up to expectations on its
Trustworthy Computing initiative, how it's managing the flow of
security information to customers, and how individual products are
faring from a security perspective. In one of the more recent
developments, Microsoft and a security company called GreyMagic are
publicly disagreeing over how security flaws should be reported.  
GreyMagic has reported several holes in Internet Explorer, while
Microsoft says it's investigating and third parties should report the
flaws to Microsoft for the security of users. What's your view? Take
our poll.

As a follow-up to our recent Microsoft Progress Report, we asked you
in a reader poll to evaluate Microsoft's progress in Trustworthy
Computing, its plan to make security a primary design goal in all its
products.

It's worth noting up front that InternetWeek.com readers have a
history of being harder on Microsoft than most vendors, particularly
when it comes to responding to online polls. That said, Microsoft
received higher marks than one may have expected. Yes, the highest
percentage of respondents gave Microsoft one of the two lowest
possible scores in our poll, but strong percentages gave them the two
highest scores as well. The scores rate the company on its progress in
achieving Trustworthy Computing, not the overall security of its
products.

With that background, here are the poll results as of Thursday
morning, with 213 respondents:

* 52 respondents or 25 percent said the company has made "no
  progress."

* Another 25 percent said the company has made "little progress."

* 28 respondents or 13 percent said things are about the same as
  they've been.

* 39 respondents or 18 percent give the company credit for making
  "some progress."

* 41 respondents or 19 percent said the company has made "great
  progress."

While many readers wrote in with harsh comments, there were also a
number of measured comments reflecting a sense that Microsoft is in
fact working hard to shore up security, and that big improvements
can't happen overnight.

Some of the best reader comments follow:

No Progress It's inconceivable that anyone -- especially Microsoft --
could claim that the company has made progress on its security
initiative when new security warnings are issued almost daily for
Microsoft operating systems and applications. Apart from being such a
massive target for every hacker on the planet, Microsoft is its own
worst enemy: sloppy coding and poorly thought-out features are the
norm. When so many enterprises hold off upgrading until Service Pack 1
for a given OS or app release comes out, that's got to tell you
something about how many times people have been burned in the past.  
Get burned enough and pretty soon you stop going near the stove.  
--Jason Scott, systems and design manager, MaineToday.com, Portland,
Maine, jscott () mainetoday com

Microsoft security is an oxymoron. In its rush to obliterate all
opposition, it cut too many corners in the basic underpinnings of its
operating system software. In order to become a non-porous OS,
Microsoft needs to start from the beginning and make security an
integral part of the basic design, instead of an afterthought. Windows
had come a long way from being a means to play video games to being a
widespread business platform, but the basic foundation for the entire
system is still tied to its past. Linux and Unix were designed as
serious platforms from the very beginning: Security is a fundamental
part of their structure. Usually, one would say that you should not
have to continually re-invent the wheel. Microsoft never went through
that stage in its growth. Maybe it should re-invent the wheel.  
--Thomas LeMaster, staff programmer, Ensco Inc., Endicott, N.Y.,
lemaster () computermail net

No, we aren't there yet! Secure computing is still an idea that has
not yet caught on in the mind of your average user. It is the average
user who is most vulnerable and the least likely to secure his or her
PC, never mind knowing that a real risk to their stuff is a cold
reality! The 61 or so security vulnerabilities reported by Microsoft
this year aren't issues for Joe and Jane user. They don't even know
that these vulnerabilities exist in most cases. Until Joe and Jane
have a problem, get hacked, or violated somehow, we will continue to
have widespread vulnerabilities in our interconnected universe, which
means everyone is less secure. Not that 100 percent secure is
achievable, but we can do better. Microsoft still doesn't view
security like they do market share. If they applied the same
overzealous competitive spirit to ensuring security in their products,
think of where we would be right now. Certainly not patching IE and
Word for the umpteenth time this year. --Pamela Mahan-Rudolph,
technical support manager, Burr Wolff, Houston, prudolph () burrwolff com

Security Takes Time, Focus Most, if not all, the vulnerabilities we
are seeing now are in code written over the past several years.  
Security does not get fixed overnight or simply by announcing they
intend to fix things. The real test will be one to two years out, when
we see if they really do take security seriously and make their
products more bulletproof out of the box. --Roger Nebel,
roger_nebel () mindspring com

While their intent (and even their effort) is commendable, they must
know that one cannot retrofit software with security. The security
must be a part of the design process and be built into the software
from inception. With so much flawed code already out here, Microsoft
cannot truly give us "Trustworthy Computing." If they were to
successfully develop an operating system that were secure (by default)  
and a suite of secure business and personal applications for home
users, their initiative would still fail because the cost of replacing
every one of their flawed OSes and applications (and, in many cases,
the hardware upon which they operate) would be astronomical. As a
business professional, I would love to save my company money by
eliminating the cost of securing and patching inherently insecure
systems, but replacing an entire infrastructure is beyond the means of
most businesses. Try explaining to your CFO that you need to replace
all of your operating systems, business apps, and most of the systems
that run them (all of which *you* convinced him you needed to buy in
the first place) because you want to be part of the Trustworthy
Computing initiative. Just make sure that your resume is up to date
first. --Michael Hios, manager, information technology, Circle
Biomedical, Lexington, Mass., hios () circebio com

I see Microsoft as being the target of hackers simply because
corporate America has adopted their applications and platforms on a
widespread basis. This being the case, Microsoft has had to become
security-conscious. If they do this with the same focus and attention
to detail with which they have undertaken their past endeavors, I
believe they will show themselves to be a real force in the security
market. Microsoft has always proven extremely responsive to their
critics and taken that input and turned it into product revisions.  
--Steven Rivera, IT business consultant, Jade Systems Corp., New York,
strivera () jadenet com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.