RE: "Tech News on ZDNet" -- OS makers: Security is job No. 1

["Gizmo" <gizmo () digistar com>]

After getting served a large helping of humble pie and ruminating on the
texture and taste thereof, Gizmo responded with:

Good points, Dana, and eloquently put.  I think you have stated what I was
really driving at, much better than I did.  :-)  However, if you think that
MS won't find a way to drive a revenue stream out of this, then I believe
you will be surprised.  After all, the AV companies do it now.

Later,
Chris


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Dana Epp
Sent: Wednesday, May 11, 2005 1:19 PM
To: Gizmo
Cc: [EMAIL PROTECTED]
Subject: Re: [SC-L] "Tech News on ZDNet" -- OS makers: Security is job
No. 1


I don't think its fair to paint such a broad stroke about Microsoft's
intent.

Microsoft is a business. And a business that has to weigh its investments
carefully through its metrics driven organization, just like every other
successful business out there. They enter into markets for three general
reasons:

1) Paranoia: Put bluntly, if they see a perceived threat to their Windows or
Office revenues (where they make their real profits), they step in.

2) Numbers: Big, broad markets with no dominant players that would be low
touch to them are attractive

3) Grief: Taking to much grief from customers and the press can hurt their
company, and their stockprice.

Summing that up, Microsoft goes after markets with billion-dollar ambitions,
focusing on horizontal software that can strengthen their Windows/Office
offerings while preventing their platform from looking bad.

Microsoft isn't focusing on security to be good samaritans, or to find
billion dollar revenues. With such a poor track record in the past they had
to deal with the GRIEF caused by poor decisions a decade ago. (Longer if you
ask me) The impact of those decisions are hurting their platform now, and
they came to realize they need to realign their business practices
accordingly. In this light security is not a technology problem, but really
a business one. We see that in the (in)decision many businesses take (not
just Microsoft) on when and where to bolt on security, if at all. 10 years
ago very few commercial software companies followed secure coding best
practices... mostly because very few best practices even existed that people
knew about. And those that did, didn't align with the business mentality of
"build and ship".

I think you are kidding yourself if you believe Microsoft is in it to build
NEW major revenue streams off the offerings. If you consider the investment
they are putting into their security related programs, you would find that
it would be a POOR decision if that was the case. Their investment into
security goes deeper then that. They have a responsibility to their existing
customers, and the new ones they hope to gain in ensuring that in this ever
changing digital divide that they take a more serious stance on security.
Its the right thing to do, and now its good business. Spending the last
decade as the punching bag for security (and rightfully so) has given them
enough black eyes to realize with such a dominant position in the
marketplace, they need to be more responsible... or lose customers. So its
about protecting marketshare, not building new ones from it.

At the same time, I don't blame them for going further and building security
in to upcoming products to make their product offerings better. Remember my
Point #1? To protect their dominance in the OS market they will need to make
Longhorn MUCH better than Srv03/XP is. Investments in things like LUA are
breaking the shackles of the OLD broken way users run applications on
Microsoft's platforms and offers a mechanism to run in a safer environment
using least privilege. These are tremendous changes in the attitudes and
thinking of security on the platform, while offering users a comfortable
environment to do their job. In the end, thats all the customer cares about.
A safe and secure computing environment to let them get their job done.

I think you are incorrect in saying that:

"their approach is NOT "Let's make the OS more secure so that this crap
can't get installed to start with"

They ARE doing that. Take a closer look at the new security infrastructure
in Longhorn. Things like LUA are designed SPECIFICALLY for that. They are
reducing the attack surface of application behaviour by confining and
containing access rights within the account itself. They are making tools
like prefast and Static Driver Verifier (SDV) that can do static code
analysis to strengthen the code base touching their kernel. The new driver
framework is cleaner and the resulting code runs safer. Decisions to tear
down the way processes execute in the OS are now rewritten in Longhorn to
ensure trust boundaries are maintained (Longhorn has an entirely new
mechanism for CreateProcess locked in the kernel for safer and more trusted
execution). These all lead to a safer environment for everyone.

Top that off with the userland applications they are strengthening with
tools like FxCop, codebase permission sets in managed code and things like
the /gs switch in their compilers, and Microsoft is slowly causing the
adoption of secure coding to the 3rd parties out there as well. With all the
education and training thats being offered for free, they are TRYING to make
it safer for everyone. SD3+C isn't just a marketing term... its something
they are trying to distill in their organization, which in turn should spill
out to 3rd parties using their tools and technologies.

I agree with your position on the perceived simplicity that the user needs
in their operating systems (and applications). However, I don't believe it
can change over night. Which is why I think MS may be more successful then
we realize in promoting security to consumers as their security management
lifecycle touches everyone, and everything that works with them. These
things took decades to build up and break. It won't be fixed over night.

Sorry for the long post. This is a topic that drives me nuts. Everyone has
their own views that typically are painted in a little black box. (including
mine) We have to step back sometimes and look at the bigger picture here.
This is a great list Ken runs about secure coding. Most (if not all) of us
on the list GET why secure programming is important. But many don't weight
that technological decision against the real business ones that corporations
need to make. Its tricky to weigh things accordingly to protect business
viability and fiscal responsibility while protecting customers. Especially
when management buy in isn't always available. We know the realities of cost
savings and ROI on designing security in. But most out there do not. And
blanket statements about people wanting to make money off of security are
futile without digging deeper to WHY they appear to be doing that.

At least, thats my opinion on it anyways. YMMV.

--
Regards,
Dana Epp
[Blog: http://silverstr.ufies.org/blog/]

Gizmo wrote:
> Microsoft is all about making Windows 'more secure' because they see a
> potential revenue stream.  Note that their approach is NOT "Let's make the
> OS more secure so that this crap can't get installed to start with";
rather,
> it is "Let's graft more crap onto the system and then sell people a
> subscription so that they can be protected from the problems we have
> created, at least most of the time".
>
> To be sure, I like Apple's approach even less.  "We want to help the
> customer protect their computer"?!
>
> I realize that security requires the cooperation of the user, but
providing
> the typical user with a readily available list of the processes running in
> the system isn't going to do anything but confuse the poor user.
>
> We need to remember that users are generally illiterate when it comes to
the
> details of how their computer functions.  That's why they are USERS.  They
> don't know (or care) how or why their computer works.  All they care about
> is that it does what they need for it to do.  Quite frankly, that is all
> they really SHOULD have to care about.  It is not necessary for me to
> understand all the gory intimate details of how my car works in order for
me
> to use it in a safe fashion.  The same should be true of my computer.
>
> I dunno, maybe I'm way off base and just too cynical for my own good, but
> that's the way I see it.
>
> Later,
> Chris
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Behalf Of Kenneth R. van Wyk
> Sent: Tuesday, May 10, 2005 6:37 AM
> To: Secure Coding Mailing List
> Subject: [SC-L] "Tech News on ZDNet" -- OS makers: Security is job No. 1
>
> FYI, somewhat interesting story today on ZDNet (see
> http://news.zdnet.com/2100-1009_22-5697133.html?tag=st.prev) about
> operating system makers paying more attention to security.  Note the
> differing (public)
> statements by Microsoft and Apple...
> Being fundamentally a "glass half full" sort of person, I think that it's
> refreshing to hear that OS vendors are making their products' security a
> higher priority than it's typically been in the past.  There's also an
> implicit message here regarding a proactive software security posture vs.
> "firewall and IDS it" after the product is released.
>
> Cheers,
>
> Ken van Wyk
> --
> KRvW Associates, LLC
> http://www.KRvW.com