RE: Time-to-patch vs Disclosure method

["Dom De Vitto" <Dom () DeVitto com>]

BB & all,
I agree, here's what I posted as comments to MS technet....
(I'd like to suggest that other also vent there opinions through this
channel,
and maybe MS will at least not foster this opinion in public)

Scott Culps comments
(<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns
/security/noarch.asp>) make it clear that MS is no longer intent on
producing more secure products, a statement that reverses those made by MS
in the l
ast 6 months.

Consequently, I feel I can no longer support the use of MS products, mainly
(IIS/MTS) for client projects.

Scott seems to believe, as other vendors have in the past, (notably,
excluding Sun) that burying security problems, and making detrimental
remarks of those that discover them, is in the interest of MS and it's
clients.  This thinking is almost completely obsolete in the security arena,
and even great proponents of MS products thank the organisations that bring
security bugs to the fore ASAP.

Scott should change his thinking, or MS should change Scott for someone who
isn't going to mock those who are in positions to influence technology
decisions.

Dom
-----Original Message-----
From: Blue Boar [mailto:BlueBoar () thievco com]
Sent: 18 October 2001 21:32
To: vuln-dev () securityfocus com
Subject: Re: Time-to-patch vs Disclosure method


A few things to keep in mind about Scott's essay:

In a large company like Microsoft, there are many competing interests.
Scott likely has no where near the influence on product security that
he would like.  I've been a corporate security guy for a large
software company (not Microsoft.)  I had reasonable influence over
the IT infrastructure's security, and absolutely 0 over the product
security.  The two just weren't related.  My understanding is that
Scott has some degree of both, but that he has much more control over
things like responding to reports, driving patches, helping
with services packs, etc...  and probably a little over actual
product development.  I know several of the guys in various
Microsoft security groups, and they actually want to improve
the product, and they actually know what they are doing.  Having
said that, they get to say very little about how to improve the
development process, unless security becomes Microsoft's #1
marketing item.  Yes, this is akin to closing the barn door
several years after the horses have run away.  Microsoft clearly
cares more now about security after the worms, but think about
what this means for product development.  XP is done and out the door.
The next whatever is halfway done.  If security takes new development
rules for development, we're looking at Windows 2005 before they
show up.

I'm not apologizing for Microsoft.  I'm simply trying to point out
that there is a way that Scott could be sincere, and Microsoft
could act they way they do, and both can appear in the same
company.

And of course, given the list I run, my opinion is that Scott's
opinion is misguided.  But then I'm not willing to be the guy
who has to answer for Microsoft's shortcomings, either.

                                BB