RE: Experts: Microsoft security gets an 'F'

[InfoSec News <isn () c4i org>]

Forwarded from: Pete Lindstrom <petelind () comcast net>

This whole "grading Microsoft" discussion is completely ludicrous. If
Microsoft gets an 'F,' then who got the A's, B's, C's, and D's? If
upwards of 100,000 sites were infected with Slammer, does that mean
that everyone who was infected gets an 'F' too? Or does Microsoft get
their grade because it was their software? Who gets the 'F' for
Slapper?

Can we legitimately grade Microsoft's Trustworthy Computing
initiative, designed to create more secure software, by assessing
their own internal practices? Can we grade it if there is nothing to
compare to? How is IBM doing? SAP? Oracle? Siebel? Novell? Computer
Associates? Sun? HP? PeopleSoft? How about the custom stuff from
Accenture? EDS? CSC?

Do we really know the difference between what equals "secure" and what
equals "luck" in the security space? Is there anyone out there who has
a foolproof method for determining an appropriate level of security
that is guaranteed to eliminate risk?

You can't blame obesity on McDonald's for serving quarter pounders and
you can't blame insecurity on Microsoft for serving buggy software
that the whole world decided to buy because of the functionality and
backward compatibility - both qualities that create complexity and its
sister, insecurity. And let's not forget that a large number of our
security problems are due to poor configuration and not buggy software
(e.g. SQL Spida attacked null passwords).

There is no doubt that from a security perspective, our existing model
has been unsuccessful due to its reactive nature and the built-in
latencies involved. But I talk to companies every day with better
solutions (check out www.spiresecurity.com/IntrusionPrevention.htm for
some ideas).

It is far too easy to blame Microsoft (give them an 'F') for the
world's security woes. But you get a completely different perspective
when you take a look around at all the potential alternatives and
existing poor security practices in place.

There, I said it. Please flame me at bill.gates () microsofty com (just
kidding).

Regards,

Pete

Pete Lindstrom, CISSP
Research Director
Spire Security, LLC
P.O. Box 152
Malvern, PA 19355
phone: 610-644-9064
fax: 610-644-8212
www.spiresecurity.com
Briefing Requests: 
http://www.spiresecurity.com/briefingrequest.asp?p=briefingrequest


-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org] On Behalf
Of InfoSec News
Sent: Tuesday, February 04, 2003 5:49 AM
To: isn () attrition org
Subject: Re: [ISN] Experts: Microsoft security gets an 'F'


Forwarded from: Mark Bernard <mbernard () nbnet nb ca>

Dear Associates,

Actually this statement may not be far from the truth, however it needs
to be quantified.

Typically within the information security program framework we measure
the success of any program by the reduction in the number of incidents
of a specific targeted group. The question should be, has the number of
occurrences of this particular type of incident been reduced overall?

If the group making the statement has measured the success of the
Microsoft's initiative against how many systems were actually infected
they may be using the wrong set of quantifiable criteria, thus their
statement would be unjustified. A typical program takes three years to
mature and will need to be tweaked a couple times before it hit 100% of
the target.

I should also qualify my statement, I am in no way a Microsoft
supporter. I truly believe that when a group dominates a market place
such as Microsoft has, the market in question becomes unhealthy.
However, that's good for information security professionals. More
balance is necessary.

Happy hunting!

Mark.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.