“Microsoft Claims Security Win with New Development Rules”
Just look at that headline from the eWeek article I linked to in my previous post…!
( http://www.eweek.com/article2/0,1895,1779769,00.asp )
Man, you’d think Microsoft was on K street, DC, not in Redmond, WA.
Hypothetically, training your software engineers and developers on how to write secure code is a good thing. Hypothetically, man can travel at the speed of light. Fact of the matter is that Microsoft can’t solve the security problem. Microsoft is its own worst enemy when it comes to solving the security problem.
Einstein said, “you cannot solve a problem with the same level of intelligence that created it.”
Software engineering groups that are serious about developing flawless software adopt this philosophy. They do this through such independent certification processes such as the SEI-CMM. For more details, see: http://www.sei.cmu.edu/
First thing’s first. Microsoft needs to develop an organizational structure and work flow that promotes excellence in software engineering. Once it has obtained some reasonable level of capability to write good software, it can then begin to eliminate software flaws in a measurable, predictable way.
Claiming victory because a barely used OS (Windows Server 2003) doesn’t have many reported flaws is just plain ABSURD. As a security researcher, I’m fond of asking, “How do you know you haven’t been compromised?” or “How do you know there are no flaws.”
Just because you don’t see them does not mean they are not there.
What’s worse, how on earth can I trust Microsoft to accurately assess or report on the changes it’s seeing? I can’t.
Success will be believable when independent analysis confirms that they have accomplished something, anything…
Until then, I think it’s status-quo in Redmond.
Bill