Thursday, April 21, 2011

Bashing Microsoft on Security Deficiencies

I have found quite often that many individuals love to hate Microsoft on its track record for security vulnerabilities. In seminars where I commented on software vulnerabilities, I have been surprised by senior individuals walking up to me as saying " I am sure your comments were directed towards Microsoft". Its quite evident in responses to blog posts or news articles..

I believe that we should encourage and not bash Microsoft on its track record for software security. I for one believe that they learnt from the initial bad press and embarked on a committed program for enhancing software security in their products. For this we should support and encourage them rather than continuing to bash them. Only stick and no carrot does not work. We should reserve our bashing for the many other popular products that have been riddled with security flaws. Some of these companies were laughing at Microsoft discomfort instead of fixing flaws in their backyard. They perhaps felt secure because they were not targeted then, as they are now. Microsoft has shown the world that it takes time for well meaning established product companies to migrate to a secure software culture and reprogram massive code bases. Others should learn from this.Our overall goal is to remove software vulnerabilities and ensure software is engineered with security in mind.

Secondly, we should widen our focus to include security vulnerabilities in embedded systems. Embedded systems will fly planes, drive cars, make robot work in plants and so forth. Faulty embedded system software will be a high risk source in the coming years. This scares me.

No comments:

Post a Comment