Bug-Zapping, Microsoft Style
from the fixing-bugs-all-day-long dept
Microsoft is certainly making a big show of how they’re making their software more secure. The question is how much of it is marketing, and how much of it is real. On the marketing side, they have someone who’s job it is to go out and respond to Microsoft bashers about their security (assuming those bashers write for a major publication, it appears). This article in Business Week lets the guy respond to some criticisms of Microsoft’s security, where he basically says (1) they’re getting more secure by using automated bug catchers and (2) they really have fewer security problems than other vendors. Neither one of these points makes me feel any more comfortable. While I’m sure automated bug catchers help, you have the same “automation” problem you find with things like a spell-checker. Studies have shown that good writers who use spell-checkers begin to rely on them, and their writing ability decreases. I could see the same thing happening in the coding process. Since they have these automated bug catchers, will people architecting the program be as careful? And will they start to just get lazy and rely on the automated bug catchers? As for the comparison to other operating systems, I don’t think that really matters. This isn’t a contest. Also, simply looking at the total number of CERT advisories doesn’t compare how serious the problems are or how many people are impacted by them. In the end, I do agree with the Business Week writer. I’m sure Microsoft is trying very hard to increase the security of their code. That’s very different than saying they’ve actually made their systems secure.
Comments on “Bug-Zapping, Microsoft Style”
No Subject Given
Huh! “is trying” and “have done” IS the difference between marketing and real life, don’t you think? 🙂
my comments
1) Having worked on the Windows 2000/XP kernel and had my code run through Prefix, I would highly doubt that anybody would write sloppy code thinking “Oh Prefix will catch this.” First of all Prefix is not some “active” thing hovering over your editor; it will find bugs later, after you have tested and checked in your code, and then you have to go back and fix the code, retest it, re-check it in — all a huge hassle, and much easier just to do it right the first time. Of course you may just be too clueless to write good code in the first place and then you have to hope Prefix sves your keister. But I can’t picture someone who *has the capabilitiy to write good code*, not doing so because they are lazy and think Prefix will bail them out.
2) Mike Nash is a marketing guy. I’m sure he’s real smart, but when he talks about the Microsoft development process, he does not know precisely what he is talking about.
3) I notice he did not respond to the issue of moving the HTTP server into the kernel…really it doesn’t matter if Microsoft is moving it into the kernel, out of the kernel, or sideways within the kernel. The problem is they are doing something to the code, and that is going to mean new vulnerabilities. It’s like the dinosaurs in Jurassic Park when the Jeff Goldblum character talks about them; it’s not a question of if the dinosaurs are going to escape, it’s just when and how. Until Microsoft stops doinking around with its code (which will be never, since it has to keep selling upgrades), the code will not stabilize.
More rambling on MS development issues:
http://www.osopinion.com/perl/story/14306.html
– adam