Re: Time-to-patch vs Disclosure method

[Blue Boar <BlueBoar () thievco com>]

A few things to keep in mind about Scott's essay:

In a large company like Microsoft, there are many competing interests.
Scott likely has no where near the influence on product security that
he would like.  I've been a corporate security guy for a large 
software company (not Microsoft.)  I had reasonable influence over
the IT infrastructure's security, and absolutely 0 over the product
security.  The two just weren't related.  My understanding is that
Scott has some degree of both, but that he has much more control over
things like responding to reports, driving patches, helping
with services packs, etc...  and probably a little over actual
product development.  I know several of the guys in various 
Microsoft security groups, and they actually want to improve
the product, and they actually know what they are doing.  Having
said that, they get to say very little about how to improve the
development process, unless security becomes Microsoft's #1
marketing item.  Yes, this is akin to closing the barn door
several years after the horses have run away.  Microsoft clearly
cares more now about security after the worms, but think about
what this means for product development.  XP is done and out the door.
The next whatever is halfway done.  If security takes new development
rules for development, we're looking at Windows 2005 before they
show up.

I'm not apologizing for Microsoft.  I'm simply trying to point out
that there is a way that Scott could be sincere, and Microsoft
could act they way they do, and both can appear in the same 
company.

And of course, given the list I run, my opinion is that Scott's
opinion is misguided.  But then I'm not willing to be the guy
who has to answer for Microsoft's shortcomings, either.

                                BB