Partager via

Microsoft under attack - and it's not what you think

  • Article

I really never thought I would see this day! But this is a very interesting read.

"..open source developers and security professionals accusing them [Microsoft] of being obsessed by security."

https://www.artima.com/weblogs/viewpost.jsp?thread=162577

You bet we're obsessed!

Comments

  • Anonymous
    June 02, 2006
    The comment has been removed
  • Anonymous
    June 03, 2006
    This is halarious. It seems no matter what MS does or will do, there will be someone else whining about them.

    I can guess each MS employee enjoying their work day ending by reading some hate mails :D
  • Anonymous
    June 04, 2006

    Michael Howard anuncia en su blog la salida de su nuevo libro "The Security Development Lifecycle"...
  • Anonymous
    June 05, 2006
    That's amazing!. Thanks for being a good sport about this Michael.
    Keep up the good work, let the whiners do their thing!
  • Anonymous
    June 05, 2006
    The comment has been removed
  • Anonymous
    June 06, 2006
    Hi...
    we just did a security related roadshow here in Germany. Still Security does not attract masses...
  • Anonymous
    June 07, 2006
    First, I think Microsoft has done a great job overall in addressing common security problems in the last few years (and well they should, since they also single-handedly infected the world with users who believe they have an inalienable right to routinely run as a local admin, something that any administrator worth his salt would not even do himself).

    But your blog entry is very misleading, and seems intended to just give you a chance to plug Microsoft's security initiative by referencing an article that has nothing to do with your entry.

    Nowhere in the article does the author say that Microsoft is obsessed with security (only the summary says it, and who knows who wrote the summary to Johan Peeters' article? -- a summary is distinct from content produced by an author, and this particular summary doesn't seem to even summarize the content at all).  The article itself implies that a representative of  a company called Secure Software (Pravir Chandra) believes that SDL is "too heavyweight", but it is not clear from the author's statement whether this is actually Chandra's belief or Peeters's belief.  In any event, it is entirely possible that every happy little open-sourcer in the world believes Microsoft is doing a fantastic job with security, while at the same time also believing that the SDL specification is poorly written (I have no opinion on SDL either way), so I don't think there's much reason to believe that this obviously poorly written article is the representative voice of the open source community, or that the open source community is attacking Microsoft for addressing security.

    Please feel free to correct me if I've missed something, but I think I've done a pretty careful read of the referenced material.
  • Anonymous
    June 09, 2006
    Microsoft is the best!  Cool..
  • Anonymous
    June 09, 2006
    Hey Howard I have run across this verurnablety in ms as well as firefox.

    A spam site owns com.org

    I discovered this by accident and need help please I am using msn's url as an example and hope it isn't a problem
    http://www.msn.com.org
    This takes you to a spam site I have contacted the company and it is referred as a wildcard subdomain. I was told they have been doing this a long time and MSN was aware of it.

    My question is this is an exploit how can I stop my url from coming up when this is added to the end of my .com domain

    Google or yahoo the .org doesn't work but in MSN it does. How do Google and Yahoo stop it from happening.

    I hope you can offer me some suggestions.
    Thanks,
  • Anonymous
    June 19, 2006
    As one of the panelists, I feel that the summary is slightly overblown. During the panel, one of us noted that Microsoft was promoting more security than most firms can muster or even want to achieve, and even what was even funnier was that the panelists basically agreed with each other... and Microsoft :) To anyone in the security industry over the last few years, this is no surprise - this is how basic research pays off. Do the hard yards, and by default, you're the leader.

    As noted in Johan's article, my work has implemented a SDL-like process (mainly though my instigation, but it wouldn't have succeeded without senior management buy in), and it is working. The projects which undergo our process (we call it "Enterprise Security Architecture") are demonstrably more secure and harder to attack than those which do not undergo it.

    We have also implemented a sort of security buddy system, which pays immense dividends considering how many projects are underway at any given time. The SDL makes doing security a cost-effective use of your time and security budget. There is basically nothing else out there, so why not give it a go?

    I can't wait for the SDL book to come out - I'll be buying copies for all of my team. The galley that Alex had was just awesome.

    Andrew
  • Anonymous
    June 12, 2009
    PingBack from http://toenailfungusite.info/story.php?id=1260