Microsoft under attack – and it’s not what you think

I really never thought I would see this day! But this is a very interesting read.

“ source developers and security professionals accusing them [Microsoft] of being obsessed by security.”

You bet we’re obsessed!

Comments (11)

  1. Peter Ritchie says:

    You should know by now, people have a hobby of complaining about Microsoft.  "Its security is too lax"…Microsoft compensates for unethical people with things initiatives like SDL…"Microsoft’s security it too heavyweight".  Damned if you don’t, damned if you do…

  2. Priyajeet says:

    This is halarious. It seems no matter what MS does or will do, there will be someone else whining about them.

    I can guess each MS employee enjoying their work day ending by reading some hate mails 😀

  3. Michael Howard anuncia en su blog la salida de su nuevo libro "The Security Development Lifecycle"…

  4. Vasu says:

    That’s amazing!. Thanks for being a good sport about this Michael.

    Keep up the good work, let the whiners do their thing!

  5. Denkt man als Spieleentwickler über Security nach, kommen hauptsächlich zwei technische Themen hoch:…

  6. Hi…

    we just did a security related roadshow here in Germany. Still Security does not attract masses…

  7. shannon says:

    First, I think Microsoft has done a great job overall in addressing common security problems in the last few years (and well they should, since they also single-handedly infected the world with users who believe they have an inalienable right to routinely run as a local admin, something that any administrator worth his salt would not even do himself).

    But your blog entry is very misleading, and seems intended to just give you a chance to plug Microsoft’s security initiative by referencing an article that has nothing to do with your entry.

    Nowhere in the article does the author say that Microsoft is obsessed with security (only the summary says it, and who knows who wrote the summary to Johan Peeters’ article? — a summary is distinct from content produced by an author, and this particular summary doesn’t seem to even summarize the content at all).  The article itself implies that a representative of  a company called Secure Software (Pravir Chandra) believes that SDL is "too heavyweight", but it is not clear from the author’s statement whether this is actually Chandra’s belief or Peeters’s belief.  In any event, it is entirely possible that every happy little open-sourcer in the world believes Microsoft is doing a fantastic job with security, while at the same time also believing that the SDL specification is poorly written (I have no opinion on SDL either way), so I don’t think there’s much reason to believe that this obviously poorly written article is the representative voice of the open source community, or that the open source community is attacking Microsoft for addressing security.

    Please feel free to correct me if I’ve missed something, but I think I’ve done a pretty careful read of the referenced material.

  8. shannon says:

    Microsoft is the best!  Cool..

  9. bwn says:

    Hey Howard I have run across this verurnablety in ms as well as firefox.

    A spam site owns

    I discovered this by accident and need help please I am using msn’s url as an example and hope it isn’t a problem

    This takes you to a spam site I have contacted the company and it is referred as a wildcard subdomain. I was told they have been doing this a long time and MSN was aware of it.

    My question is this is an exploit how can I stop my url from coming up when this is added to the end of my .com domain

    Google or yahoo the .org doesn’t work but in MSN it does. How do Google and Yahoo stop it from happening.

    I hope you can offer me some suggestions.


  10. As one of the panelists, I feel that the summary is slightly overblown. During the panel, one of us noted that Microsoft was promoting more security than most firms can muster or even want to achieve, and even what was even funnier was that the panelists basically agreed with each other… and Microsoft 🙂 To anyone in the security industry over the last few years, this is no surprise – this is how basic research pays off. Do the hard yards, and by default, you’re the leader.

    As noted in Johan’s article, my work has implemented a SDL-like process (mainly though my instigation, but it wouldn’t have succeeded without senior management buy in), and it is working. The projects which undergo our process (we call it "Enterprise Security Architecture") are demonstrably more secure and harder to attack than those which do not undergo it.

    We have also implemented a sort of security buddy system, which pays immense dividends considering how many projects are underway at any given time. The SDL makes doing security a cost-effective use of your time and security budget. There is basically nothing else out there, so why not give it a go?

    I can’t wait for the SDL book to come out – I’ll be buying copies for all of my team. The galley that Alex had was just awesome.