Micro$oft and securityRewriting history, but the company still
goofed
It's no secret that C-Net has a Micro$oft bias.
But even I was surprised to see this one a week
ago.
Because of the experience of Mike Nash, a vice president at Microsoft, the company finally instituted calling trees as a way to quickly reach people in an emergency. When the Slammer worm hit in January 2003, Nash had to work feverishly to track down the vice president of SQL Server, Gordon Mangione, eventually locating him at his sister's wedding in Canada. (Slammer used Microsoft's SQL Server database to propagate a denial-of-service attack.) Nash first heard reports of Slammer on the local news radio station at 6 a.m. At first, he thought he was dreaming. But as the report played a second time, he knew it was real and headed into work. "I was the second one there," Nash recalls. Automated calling trees go back to what, the early 1990s? Even before that, I know companies had emergency phone lists for their executives, particularly in operations. Back in the days before personal computers, IBM prided itself in having an emergency team dispatched and on site within a couple of hours. Slammer also taught the company that it was not enough to have a patch; the patch had to be easy enough to deploy so that most customers would do so, lessening the chances that outbreaks would propagate so quickly. And it was Blaster that taught the company that it wasn't enough to patch a single flaw; it needed a systematic process for catching whole classes of vulnerabilities, a realization that paved the way for Microsoft's current approach, known as the Security Development Lifecycle, or SDL. Umm, isn't this basic engineering? This one was pretty telling though. Emphasis added. Much of the reason for that traumatic on-the-job training can be traced to Microsoft's decade-long evolution in how it and its employees deal with security. Until 1997, security was seen mainly as a set of features that the company bolted onto its software long after product design and development. The idea of securing code as it was being developed had not been considered. You can bet that security was important to the customers, most of whom just took Micro$oft's word that things were okay. Once again, emphasis added. In building Microsoft's security response apparatus, Microsoft had to look beyond the software industry. "No one had had to figure this out before us," Nash said. One of the companies that Microsoft used as a guide was chemical maker DuPont. While not an exact parallel, Microsoft studied how DuPont reacted to train derailments. That's not exactly true. Security was a very important consideration in UNIX through the late 1970s and into the early 1980s. Of course, that code was better written than Windows. All in all, this article was pretty telling. Micro$oft didn't take security seriously until AFTER it began to blow up in their face. In all fairness, the web did complicate things and overturn assumptions. None the less, I have wonder what would have happened with security if Micro$oft had to fight for it's market share. Posted: Mon - December 10, 2007 at 02:00 PM
|
Pagan Vigil
Pagan philosopher, libertarian, and part-time trouble maker, NeoWayland watches for threats to individual freedom or personal responsiblity. There's more to life than just black and white, using only extremes just increases the problems. My Thinking Blogger Nominees
Recent
Comments Search
Categories
Guest
Articles Interested in Pagan•Vigil hosting your articles? I'm always looking for tantalizing content that makes people think. Look here for details. E Pleb Neesta AdSense
Pagan Vigil assumes no responsibility for the advertisement content provided by Google, which is neither selected nor endorsed by NeoWayland.
NeoLinks
The News Right Now Radio Free Europe/Radio Liberty
Reason Magazine - Hit & Run Sunni Maravillosa and the Conspirators
Hammer of Truth Life, Liberty and the Pursuit of... Lady Liberty's Constitution Clearing House Law Enforcement Against Prohibition
no authority Center for a Stateless Society
Tammy Bruce.com Latino Issues: A Conservative Blog
The Nation
RealClimate
Papers, Please!
Letter from Hardscrabble Creek
You Are Not Alone A Big Idea from Eject! Eject! Eject! Fully Informed Jury Association World's Smallest Political Quiz Animated Introduction to the Philosophy of Liberty Institute for Liberty and Democracy
World of Ends 60 Second Refutation of Socialism, While Sitting at the Beach from Coyote Blog
World Religions - Religious Forums Ontario Consultants on Religious Tolerance
Who links to me? NeoBlogs
Books
Listmania - Liberty Basics
Legal
All Guest Articles are © copyright by their respective authors for the date given and subject to the specific restrictions and permissions as stated in that article entry. Guest Article restrictions and permissions are specific to each article and may not be applied to another Guest Article.
Views and opinions expressed in Guest Articles do not necessarily reflect those of NeoWayland. Content from other sources is quoted under the fair use laws of the United States with clear reference to the source material. Unless otherwise noted, all other content at :
www.paganvigil.com Additional Redirect/Frame pages may be found at these web addresses:
members.aol.com/ If your web browser does not show one of these addresses, then this page being used without permission of the author. The views expressed by NeoWayland are his own and do not represent any other enity. NeoWayland freely accepts individual and sole responsibility for his words and actions. XML/RSS Feeds
Statistics
|