Since Blaster/Slammer, namely since the start of Trustworthy Computing I am working at Microsoft in a publically facing security role. I went through all the blaming and had to take all the heat of what we did wrong and how bad we are – and I admitted there and still do today that security was not a priority for Microsoft back then (and if you quote me, please quote the whole sentenceJ). However, we changed dramatically and I am convinced that Microsoft is one of the few companies of such a size having the capability to change within the timeframe we did and the change will go on.
When I did my first presentation on Trustworthy Computing, I stated publically that this is an industry initiative and not a "Microsoft only thing" – and the people laughed at me. They told me that Microsoft is THE problem and that we will never change. When I looked at the figures of e.g. vulnerabilities back then, we saw from the beginning that we were much better than everybody else but have been the bigger target and the one that actually made much, much more noise. Finally, we were best in class with incident and vulnerability response. This is my true belief when I look back to that time and it still is if I am looking at today's industry!
Since that time until today, I never participated in the discussion about "who is more secure? – Windows, Linux, Mac,…". Why? Well, that is pretty straight forward to tell: There is no value to this discussion from my point of view. We have to know where we stand – this helps to judge where to set the priorities but basically our customers expect us to deliver the best in class for the market – and they shall do this! This has to be our target.
Now you might ask, why I am writing this. Each time a vendor has a major security problem, the discussion starts again. This time Apple got the blame. People were talking of "Mega-Patch" and so on. There started a blog "war" on which OS is more secure. There were titles like:
- Diving back into the Mac Vs. Windows debate
- Operating systems aren't any more secure than the idiot using it
And there are people trying to do a comparison: "I don't use Windows! I'm invincible!"
Does this really add any steps towards a solution of the problem? Most people that are actually "comparing" security of the different Operating Systems are geeks and they are all assuming that everybody is a geek as well.
Instead of blaming around, I think it is time to come together and look for solutions within the industry. We are competitors in certain areas but to address the "security challenge" the companies have to come together! We support and sometimes even initiated different forums/alliances already to do exactly what I said:
- VIA (Virus Information Alliance): An alliance where all the major AV-vendors are part of to share information on malware.
- SAFECode (see my earlier blog): An alliance that helps to share best practices around building secure products
So, instead of wasting time to complain and tell everybody that A is better than B or complaining that people are stupid or telling everybody that you are the one knowing how to configure a system but you do anyway not trust the vendors (typically us), I ask you for a constructive dialogue. We can start it here or you can mail me:
- Knowing what we are doing already (e.g. Security Development Lifecycle), what do we have to do to improve security for mom and dad?
- What can we do – from your point of view – to improve our communication?
- What has the industry to do to even get better?
- If you are working for a major ISV – join SAFECode to move the industry as a whole.
I am open for any constructive and open dialogue but not for blaming and bashing.
Looking forward to your feedback