Suggestion for Microsoft

Journal lheal's Journal: Suggestion for Microsoft 1

Journal by lheal on Friday June 17, 2005 @09:17PM

(I posted a version of this today as a reply to someone's comment expressing doubt about Microsoft's true level of interest in securing their software).

To Microsoft, security is about features. A builtin "firewall", VPN, encryption of this or that, trusted something or other. Applets and wizards.

They're basically stuck in that position, too. The cash cow is actually layer upon layer of such features, fundamentally designed for a different, and far less ambitious, job than it's now asked to perform.

I'd better stop, or I'll go into full-on rant mode. Oops, too late.

Windows needs a complete rewrite, but that's not enough. If they did that now, they'd wind up with the same sorts of problems they currently have.

Even a total refocus on security is not enough. They have to change who they are as a company.

It's my understanding that at Microsoft, as at many software companies, the prestige and resources allotted to a group of programmers are determined by how much revenue their piece of the product will produce.

To make software customers can trust, they will have to change that mindset.

To a software business the value of a product can be measured by how much money it makes, but it's an unholy error of the stupidest freshman sort to value individual parts of the design by how much they'll bring in. Some parts are so essential, and some phases of design so vital, that without proper attention paid to them the overall product falls on its face.

The marketplace doesn't know enough about the inner workings of your product to tell you what value to place on any particular phase of design. The market (eventually) tells you how well it likes the finished product versus your competitor's, but hidden design processes aren't part of the comparison.

Security has got to be considered at every step of the design process. It follows along with robustness, portability, scalability, and overall algorithmic soundness.

I have a suggestion for you Microsoft design managers out there, for the next time your boss says, "Hey, let's make [X] really easy - that would really sell!". Don't just nod. Look at them and say, "Maybe, but it would also be simple to exploit."

The response will tell you how far the focus has really shifted.

This discussion has been archived. No new comments can be posted.