Micro$oft and security


Rewriting history, but the company still goofed

It's no secret that C-Net has a Micro$oft bias. But even I was surprised to see this one a week ago.

Because of the experience of Mike Nash, a vice president at Microsoft, the company finally instituted calling trees as a way to quickly reach people in an emergency. When the Slammer worm hit in January 2003, Nash had to work feverishly to track down the vice president of SQL Server, Gordon Mangione, eventually locating him at his sister's wedding in Canada. (Slammer used Microsoft's SQL Server database to propagate a denial-of-service attack.) Nash first heard reports of Slammer on the local news radio station at 6 a.m. At first, he thought he was dreaming. But as the report played a second time, he knew it was real and headed into work. "I was the second one there," Nash recalls.

Automated calling trees go back to what, the early 1990s? Even before that, I know companies had emergency phone lists for their executives, particularly in operations. Back in the days before personal computers, IBM prided itself in having an emergency team dispatched and on site within a couple of hours.

Slammer also taught the company that it was not enough to have a patch; the patch had to be easy enough to deploy so that most customers would do so, lessening the chances that outbreaks would propagate so quickly. And it was Blaster that taught the company that it wasn't enough to patch a single flaw; it needed a systematic process for catching whole classes of vulnerabilities, a realization that paved the way for Microsoft's current approach, known as the Security Development Lifecycle, or SDL.

Umm, isn't this basic engineering?

This one was pretty telling though. Emphasis added.

Much of the reason for that traumatic on-the-job training can be traced to Microsoft's decade-long evolution in how it and its employees deal with security. Until 1997, security was seen mainly as a set of features that the company bolted onto its software long after product design and development. The idea of securing code as it was being developed had not been considered.

You can bet that security was important to the customers, most of whom just took Micro$oft's word that things were okay.

Once again, emphasis added.

In building Microsoft's security response apparatus, Microsoft had to look beyond the software industry. "No one had had to figure this out before us," Nash said. One of the companies that Microsoft used as a guide was chemical maker DuPont. While not an exact parallel, Microsoft studied how DuPont reacted to train derailments.

That's not exactly true. Security was a very important consideration in UNIX through the late 1970s and into the early 1980s. Of course, that code was better written than Windows.

All in all, this article was pretty telling. Micro$oft didn't take security seriously until AFTER it began to blow up in their face. In all fairness, the web did complicate things and overturn assumptions. None the less, I have wonder what would have happened with security if Micro$oft had to fight for it's market share.

— NeoWayland

Posted: Mon - December 10, 2007 at 02:00 PM  Tag


 ◊  ◊   ◊  ◊ 

Random selections from NeoWayland's library



Pagan Vigil "Because LIBERTY demands more than just black or white"
© 2005 - 2009 All Rights Reserved