Microsoft's presentations on Windows Vista are not the typical Black Hat talks, but attendees are welcoming the look behind the scenes at the software giant. "I haven't felt it as a marketing pitch. It was a very technical discussion about how code review is done at Microsoft," said Josh Hoover, a veteran Black Hat attendee from Phoenix who works in security at a large financial institution. "Of course, it is all lip service at this time, until we get to test it," he added.
To read all comments associated with this story, please click here.
Member since:2006-02-15
The history of software engineering is very short
That's because there is no such thing. Calling what we do "engineering" doesn't make it engineering.
And no, OSS doesn't "distribute costs more efficiently"; it just does a better job of hiding them.
A company with the cash reserves that Microsoft has isn't going to have problems finding the money to spend on whatever technology they want.
Member since:2005-07-08
I've always had a problem with the term "computer science" being used to describe programming. Sure, there are computer scientists out there, making hypotheses, implementing/analyzing them, and producing conclusions. But most computer programmers are engineers. They receive specifications, and they implement them. I like to say that computer programming is part art, part engineering, and rarely science.
The difference between computer science and computer engineering is huge, and it underlies the reason why most CS majors are dreadfully unprepared for real-world software development.
Member since:2005-07-06
True, true, which brings to question, not whether these problems are hidden, but whether they're willing to find and fix them.
When you work for a company, you obviously have an incentive to debug and work on the most mundane crap in the software development stack because thats what you're paid to do - you may hate it, but you can atleast say to yourself that you're taking home a cheque.
If you're an opensource developer, its only natural that since you're spending your own time working on it, its obvious that you'll want to spend your time working on the sexy exciting things like adding new features or optimising performance, not on mundane house keeping like giving key components audits to weed out bugs and potential security issues.
As for the issue at hand, I think people here need to divorce security issues firstly relating to bad design, and secondly relating to bad implementation of the idea.
Not all of Microsoft security issues relate to crappy code or design, sometimes its a combination of both, sometimes its one or the other; with that being said, to understand why some of the decisions were made, you need to understand the approach, the company culture, and most importantly, the way things were done when it was implemented; many things that are biting Microsoft in the ass today, could never have been envisioned 16-20 years ago.
As for the article at hand; its stupid to say the least; its, 'LOOK! I CAN INSTALL MALICIOUS CODE!' then she admits she was requested authorisation to carry out the said malicious code insertion. Sorry, there is a WORLD of difference between something being able to get inserted without user knowledge, and someone being asked for administrator access for a said application.
Member since:
2005-07-08
The history of software engineering is very short, and the era of ubiquitous networked computing has been even shorter. The software giants created a monster that they weren't equipped to deal with, and Microsoft's monster is the biggest of all. It's take some time, but Microsoft finally gets it, and they're ready to do serious battle with their security woes.
In most aspects of the software engineering, there is real merit to the "good enough" principle. We often forget that the open source mantra of "release early, release often" is an extension of this principle, not an alternative. Security bugs, however, are an exception to the rule. Releasing software with known vulnerabilities is not only unethical, but it's bad for business. Microsoft finally gets it; their death grip on the OS market is being challenged in a meaningful way because of their application of the "good enough" principle to security.
Microsoft must lead the proprietary software industry toward sound software engineering practices that consistently result in secure software. Most proprietary software vendors are still merely dipping their toes in the water when it comes to aggressively refactoring their development processes so as to be accountable for quality and security issues. They want to bolt-on a static analysis tool or additional managerial oversight in order to bolster quality and drive down defect rates. However, this usually does little more than increase overhead and hurt morale amongst the development teams.
There are many ways to find bugs before they reach the customer, but they all have the same tradoff: cost. Costs can be classified in two categories: costs associated with development, licensing, integration, and/or execution of such methods; and costs associated with additional workload due to higher pre-release defect rates. It is very much the case that there is no free lunch when it comes to increasing software quality and security. The lack of a silver bullet leads management to believe that the technology of automated software analysis tools isn't quite there yet, but it very clearly is.
Software engineering firms need to realize that the sheer size and scope of their markets makes these large investments in quality absolutely essential to competing in today's software industry. Microsoft finally gets it. They will lead the software industry toward a new era of quality software engineering, or they will collapse under the weight of enormous market forces.
Microsoft clearly has the cash to make this happen, but many software vendors don't. Watch for the entry barriers in the proprietary software indsutry to increase dramatically over the next 10 years as customers come to expect higher quality and more secure software products.
Watch for smaller proprietary software vendors to open their code as the only way to avoid the tremendous expense of modern software engineering. As I've said several times before, developing and delivering proprietary software can be very profitable, but it much more difficult and expensive than developing and delivering open source software. For many reasons, OSS development distributes costs more efficiently--and over a broader population.
Microsoft finally gets it, and they realize that they will have to outspend the OSS ecosystem by an impressive ratio just to keep up, let alone catch up. They also aren't growing faster than the market, so it's not like this money is gunna come easy. Watch for Microsoft's profit margins to recede markedly from the absurd to the reasonable. On both counts, it's about time.