Re: "Tech News on ZDNet" -- OS makers: Security is job No. 1

[Dana Epp <dana () vulscan com>]

I don't think its fair to paint such a broad stroke about Microsoft's intent.

Microsoft is a business. And a business that has to weigh its investments carefully through its metrics driven 
organization, just like every other successful business out there. They enter into markets for three general reasons:

1) Paranoia: Put bluntly, if they see a perceived threat to their Windows or Office revenues (where they make their 
real profits), they step in.

2) Numbers: Big, broad markets with no dominant players that would be low touch to them are attractive

3) Grief: Taking to much grief from customers and the press can hurt their company, and their stockprice.

Summing that up, Microsoft goes after markets with billion-dollar ambitions, focusing on horizontal software that can 
strengthen their Windows/Office offerings while preventing their platform from looking bad.

Microsoft isn't focusing on security to be good samaritans, or to find billion dollar revenues. With such a poor track 
record in the past they had to deal with the GRIEF caused by poor decisions a decade ago. (Longer if you ask me) The 
impact of those decisions are hurting their platform now, and they came to realize they need to realign their business 
practices accordingly. In this light security is not a technology problem, but really a business one. We see that in 
the (in)decision many businesses take (not just Microsoft) on when and where to bolt on security, if at all. 10 years 
ago very few commercial software companies followed secure coding best practices... mostly because very few best 
practices even existed that people knew about. And those that did, didn't align with the business mentality of "build 
and ship".

I think you are kidding yourself if you believe Microsoft is in it to build NEW major revenue streams off the 
offerings. If you consider the investment they are putting into their security related programs, you would find that it 
would be a POOR decision if that was the case. Their investment into security goes deeper then that. They have a 
responsibility to their existing customers, and the new ones they hope to gain in ensuring that in this ever changing 
digital divide that they take a more serious stance on security. Its the right thing to do, and now its good business. 
Spending the last decade as the punching bag for security (and rightfully so) has given them enough black eyes to 
realize with such a dominant position in the marketplace, they need to be more responsible... or lose customers. So its 
about protecting marketshare, not building new ones from it.

At the same time, I don't blame them for going further and building security in to upcoming products to make their 
product offerings better. Remember my Point #1? To protect their dominance in the OS market they will need to make 
Longhorn MUCH better than Srv03/XP is. Investments in things like LUA are breaking the shackles of the OLD broken way 
users run applications on Microsoft's platforms and offers a mechanism to run in a safer environment using least 
privilege. These are tremendous changes in the attitudes and thinking of security on the platform, while offering users 
a comfortable environment to do their job. In the end, thats all the customer cares about. A safe and secure computing 
environment to let them get their job done.

I think you are incorrect in saying that: 


"their approach is NOT "Let's make the OS more secure so that this crap can't get installed to start with"

They ARE doing that. Take a closer look at the new security infrastructure in Longhorn. Things like LUA are designed 
SPECIFICALLY for that. They are reducing the attack surface of application behaviour by confining and containing access 
rights within the account itself. They are making tools like prefast and Static Driver Verifier (SDV) that can do 
static code analysis to strengthen the code base touching their kernel. The new driver framework is cleaner and the 
resulting code runs safer. Decisions to tear down the way processes execute in the OS are now rewritten in Longhorn to 
ensure trust boundaries are maintained (Longhorn has an entirely new mechanism for CreateProcess locked in the kernel 
for safer and more trusted execution). These all lead to a safer environment for everyone.

Top that off with the userland applications they are strengthening with tools like FxCop, codebase permission sets in 
managed code and things like the /gs switch in their compilers, and Microsoft is slowly causing the adoption of secure 
coding to the 3rd parties out there as well. With all the education and training thats being offered for free, they are 
TRYING to make it safer for everyone. SD3+C isn't just a marketing term... its something they are trying to distill in 
their organization, which in turn should spill out to 3rd parties using their tools and technologies.

I agree with your position on the perceived simplicity that the user needs in their operating systems (and 
applications). However, I don't believe it can change over night. Which is why I think MS may be more successful then 
we realize in promoting security to consumers as their security management lifecycle touches everyone, and everything 
that works with them. These things took decades to build up and break. It won't be fixed over night.

Sorry for the long post. This is a topic that drives me nuts. Everyone has their own views that typically are painted 
in a little black box. (including mine) We have to step back sometimes and look at the bigger picture here. This is a 
great list Ken runs about secure coding. Most (if not all) of us on the list GET why secure programming is important. 
But many don't weight that technological decision against the real business ones that corporations need to make. Its 
tricky to weigh things accordingly to protect business viability and fiscal responsibility while protecting customers. 
Especially when management buy in isn't always available. We know the realities of cost savings and ROI on designing 
security in. But most out there do not. And blanket statements about people wanting to make money off of security are 
futile without digging deeper to WHY they appear to be doing that. 

At least, thats my opinion on it anyways. YMMV. 


--
Regards,
Dana Epp
[Blog: http://silverstr.ufies.org/blog/]

Gizmo wrote:

Microsoft is all about making Windows 'more secure' because they see a
potential revenue stream.  Note that their approach is NOT "Let's make the
OS more secure so that this crap can't get installed to start with"; rather,
it is "Let's graft more crap onto the system and then sell people a
subscription so that they can be protected from the problems we have
created, at least most of the time".

To be sure, I like Apple's approach even less.  "We want to help the
customer protect their computer"?!

I realize that security requires the cooperation of the user, but providing
the typical user with a readily available list of the processes running in
the system isn't going to do anything but confuse the poor user.

We need to remember that users are generally illiterate when it comes to the
details of how their computer functions.  That's why they are USERS.  They
don't know (or care) how or why their computer works.  All they care about
is that it does what they need for it to do.  Quite frankly, that is all
they really SHOULD have to care about.  It is not necessary for me to
understand all the gory intimate details of how my car works in order for me
to use it in a safe fashion.  The same should be true of my computer.

I dunno, maybe I'm way off base and just too cynical for my own good, but
that's the way I see it.

Later,
Chris


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Kenneth R. van Wyk
Sent: Tuesday, May 10, 2005 6:37 AM
To: Secure Coding Mailing List
Subject: [SC-L] "Tech News on ZDNet" -- OS makers: Security is job No. 1

FYI, somewhat interesting story today on ZDNet (see
http://news.zdnet.com/2100-1009_22-5697133.html?tag=st.prev) about
operating system makers paying more attention to security.  Note the
differing (public)
statements by Microsoft and Apple...
Being fundamentally a "glass half full" sort of person, I think that it's
refreshing to hear that OS vendors are making their products' security a
higher priority than it's typically been in the past.  There's also an
implicit message here regarding a proactive software security posture vs.
"firewall and IDS it" after the product is released.

Cheers,

Ken van Wyk
--
KRvW Associates, LLC
http://www.KRvW.com