I was reading Robert Scoble’s post on “Longhorn Myths”, and I noticed this comment from “Dave” in his comments thread:
Most outlandish Longhorn myth? I mean this with all due respect, and say it with complete sincerity…. it will be one that MS will in fact say: that Longhorn will be a very secure sytstem.
Yes, it will be much more secure than any other verison of Windows. Yes, it will be as secure as MS can possibly make it. But try as they might, a few factors come into play that will make it next to impossible for Longhorn to be a very secure system.
(1) Longhorn, being a Microsoft product and a popular product, is destined to be targeted by hackers around the world. If there’s a hole to be found, they’ll find it. And nobody can make a system 100% secure.
(2) MS still places a higher emphasis on new forms of functionality/interaction than they do on security. Yes, they have a greater emphasis on security than even one year ago, but their concern – at this point in the Longhorn product life cycle – is more on getting things to work and work well than it is to play devil’s advocate and find all the security holes they can find.
My response (updated and edited): Um Compared to what? Linux? Hands down, Longhorn will be more secure out-of-the-box than any Linux distribution available at the time.
There will be holes found in Longhorn, absolutely. But Microsoft GETS security nowadays. In general, Linux/Open Source community doesn’t yet (The OpenBSD guys appear to get it, but I’ve not seen any indications of this level of scrutiny associated with the other distributions).
The Linux guys will eventually, but they don’t get it yet.
If you’re going to argue that Linux/OSX is somehow safer because they’re not popular, then that’s relying on security by obscurity. And that dog don’t hunt 🙂
Even today, I’d stack a Win2K3 machine against ANY Linux distribution out there on the internet. And Longhorn’s going to be BETTER than Win2K3. After all, Longhorn’s starting with an amalgam of Win2K3 and XP SP2, and we’re enhancing system security even beyond what’s gone into the previous releases.
“Dave’s” comment #2 is the one I wanted to write about though. Microsoft doesn’t place a higher emphasis on new forms of functionality than they do on security. Security is an integral part of every one of our development processes here at Microsoft. This hits every aspect of a developer’s life. Every developer is required to attend security training, starting at New Employee Orientation, continuing through annual security refreshers.
Each and every new feature that’s added to the system has to be thoroughly threat-modeled, we need to understand every aspect that any new component can be attacked, and the kind of compromise that can result from a failure of each system. If there’s a failure mode, then we need to understand how to defend against it, and we need to design mitigations against those threats.
Every test group at Microsoft is required to have test cases written that test exploiting ALL of our interfaces, by various means. Our test developers have all gone through the same security testing that the other developers have gone through, with an intensive focus on how to test security holes.
Every line of code in the system is code reviewed before it’s checked into the mainline source tree, to check for security problems, and we’ve got a security push built-into the schedule where we’ll go back and re-review all the code that was checked in during the lifetime of the project.
This is a totally new way of working, it’s incredibly resource intensive, but the results are unmistakable. Every system we’ve released since we started implementing these paradigms has been significantly more secure than the previous ones, Longhorn will be no different.
I’m not saying that Longhorn will be security hole free, it won’t be. We’re human, we screw up. But it’ll be orders of magnitude better than anything out there.
Edit: Added the following:
By the way, I want to be clear: I’m not trying to denegrate the entire open source community. There ARE people who get it in the open source community. The OpenBSD link I mentioned above is a good example of a team that I believe DOES understand what’s needed these days.
I just don’t see the same level of rigor being applied by the general community. Maybe I’m just not looking in the right places. Believe me, I’d LOVE to be proven wrong on this one.
Edit: Replaced thread-modeled with threat-modeled 🙂