After getting served a large helping of humble pie and ruminating on the texture and taste thereof, Gizmo responded with:
Good points, Dana, and eloquently put. I think you have stated what I was really driving at, much better than I did. :-) However, if you think that MS won't find a way to drive a revenue stream out of this, then I believe you will be surprised. After all, the AV companies do it now. Later, Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dana Epp Sent: Wednesday, May 11, 2005 1:19 PM To: Gizmo Cc: SC-L@securecoding.org Subject: Re: [SC-L] "Tech News on ZDNet" -- OS makers: Security is job No. 1 I don't think its fair to paint such a broad stroke about Microsoft's intent. Microsoft is a business. And a business that has to weigh its investments carefully through its metrics driven organization, just like every other successful business out there. They enter into markets for three general reasons: 1) Paranoia: Put bluntly, if they see a perceived threat to their Windows or Office revenues (where they make their real profits), they step in. 2) Numbers: Big, broad markets with no dominant players that would be low touch to them are attractive 3) Grief: Taking to much grief from customers and the press can hurt their company, and their stockprice. Summing that up, Microsoft goes after markets with billion-dollar ambitions, focusing on horizontal software that can strengthen their Windows/Office offerings while preventing their platform from looking bad. Microsoft isn't focusing on security to be good samaritans, or to find billion dollar revenues. With such a poor track record in the past they had to deal with the GRIEF caused by poor decisions a decade ago. (Longer if you ask me) The impact of those decisions are hurting their platform now, and they came to realize they need to realign their business practices accordingly. In this light security is not a technology problem, but really a business one. We see that in the (in)decision many businesses take (not just Microsoft) on when and where to bolt on security, if at all. 10 years ago very few commercial software companies followed secure coding best practices... mostly because very few best practices even existed that people knew about. And those that did, didn't align with the business mentality of "build and ship". I think you are kidding yourself if you believe Microsoft is in it to build NEW major revenue streams off the offerings. If you consider the investment they are putting into their security related programs, you would find that it would be a POOR decision if that was the case. Their investment into security goes deeper then that. They have a responsibility to their existing customers, and the new ones they hope to gain in ensuring that in this ever changing digital divide that they take a more serious stance on security. Its the right thing to do, and now its good business. Spending the last decade as the punching bag for security (and rightfully so) has given them enough black eyes to realize with such a dominant position in the marketplace, they need to be more responsible... or lose customers. So its about protecting marketshare, not building new ones from it. At the same time, I don't blame them for going further and building security in to upcoming products to make their product offerings better. Remember my Point #1? To protect their dominance in the OS market they will need to make Longhorn MUCH better than Srv03/XP is. Investments in things like LUA are breaking the shackles of the OLD broken way users run applications on Microsoft's platforms and offers a mechanism to run in a safer environment using least privilege. These are tremendous changes in the attitudes and thinking of security on the platform, while offering users a comfortable environment to do their job. In the end, thats all the customer cares about. A safe and secure computing environment to let them get their job done. I think you are incorrect in saying that: "their approach is NOT "Let's make the OS more secure so that this crap can't get installed to start with" They ARE doing that. Take a closer look at the new security infrastructure in Longhorn. Things like LUA are designed SPECIFICALLY for that. They are reducing the attack surface of application behaviour by confining and containing access rights within the account itself. They are making tools like prefast and Static Driver Verifier (SDV) that can do static code analysis to strengthen the code base touching their kernel. The new driver framework is cleaner and the resulting code runs safer. Decisions to tear down the way processes execute in the OS are now rewritten in Longhorn to ensure trust boundaries are maintained (Longhorn has an entirely new mechanism for CreateProcess locked in the kernel for safer and more trusted execution). These all lead to a safer environment for everyone. Top that off with the userland applications they are strengthening with tools like FxCop, codebase permission sets in managed code and things like the /gs switch in their compilers, and Microsoft is slowly causing the adoption of secure coding to the 3rd parties out there as well. With all the education and training thats being offered for free, they are TRYING to make it safer for everyone. SD3+C isn't just a marketing term... its something they are trying to distill in their organization, which in turn should spill out to 3rd parties using their tools and technologies. I agree with your position on the perceived simplicity that the user needs in their operating systems (and applications). However, I don't believe it can change over night. Which is why I think MS may be more successful then we realize in promoting security to consumers as their security management lifecycle touches everyone, and everything that works with them. These things took decades to build up and break. It won't be fixed over night. Sorry for the long post. This is a topic that drives me nuts. Everyone has their own views that typically are painted in a little black box. (including mine) We have to step back sometimes and look at the bigger picture here. This is a great list Ken runs about secure coding. Most (if not all) of us on the list GET why secure programming is important. But many don't weight that technological decision against the real business ones that corporations need to make. Its tricky to weigh things accordingly to protect business viability and fiscal responsibility while protecting customers. Especially when management buy in isn't always available. We know the realities of cost savings and ROI on designing security in. But most out there do not. And blanket statements about people wanting to make money off of security are futile without digging deeper to WHY they appear to be doing that. At least, thats my opinion on it anyways. YMMV. -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/] Gizmo wrote: > Microsoft is all about making Windows 'more secure' because they see a > potential revenue stream. Note that their approach is NOT "Let's make the > OS more secure so that this crap can't get installed to start with"; rather, > it is "Let's graft more crap onto the system and then sell people a > subscription so that they can be protected from the problems we have > created, at least most of the time". > > To be sure, I like Apple's approach even less. "We want to help the > customer protect their computer"?! > > I realize that security requires the cooperation of the user, but providing > the typical user with a readily available list of the processes running in > the system isn't going to do anything but confuse the poor user. > > We need to remember that users are generally illiterate when it comes to the > details of how their computer functions. That's why they are USERS. They > don't know (or care) how or why their computer works. All they care about > is that it does what they need for it to do. Quite frankly, that is all > they really SHOULD have to care about. It is not necessary for me to > understand all the gory intimate details of how my car works in order for me > to use it in a safe fashion. The same should be true of my computer. > > I dunno, maybe I'm way off base and just too cynical for my own good, but > that's the way I see it. > > Later, > Chris > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Kenneth R. van Wyk > Sent: Tuesday, May 10, 2005 6:37 AM > To: Secure Coding Mailing List > Subject: [SC-L] "Tech News on ZDNet" -- OS makers: Security is job No. 1 > > FYI, somewhat interesting story today on ZDNet (see > http://news.zdnet.com/2100-1009_22-5697133.html?tag=st.prev) about > operating system makers paying more attention to security. Note the > differing (public) > statements by Microsoft and Apple... > Being fundamentally a "glass half full" sort of person, I think that it's > refreshing to hear that OS vendors are making their products' security a > higher priority than it's typically been in the past. There's also an > implicit message here regarding a proactive software security posture vs. > "firewall and IDS it" after the product is released. > > Cheers, > > Ken van Wyk > -- > KRvW Associates, LLC > http://www.KRvW.com >
