Microsoft's Mythical Man Years
from the misleading-the-public dept
Salon takes Microsoft to task for claiming that they’re putting more “man-years” of reviews into the security of their code than the open source community ever has. The article first points out that it’s pretty well established these days that throwing more developers at a particular project doesn’t tend to make it better or faster – and in fact can do just the opposite. More importantly, he talks about the basic nature of how security checks are done on open source code – which is that a ton of real life tests are thrown at it very quickly. The stress testing is real – and as soon as an error is found, it’s possible to figure out where the hole was and work on fixing it. Testers get prestige for finding and fixing holes. In Microsoft’s world, no matter how many “man-years” they throw at it, they’re testing stuff in a lab – and not the real world. Even worse, you’re left trusting Microsoft that they’ve fixed the holes, rather than being able to check for yourself in open source code. It’s nice that Microsoft is trying to improve their “trustworthiness” – but they shouldn’t mislead the public about the effectiveness of their methods.