Wresting free from a software straitjacket


There’s an interesting article over at C|Net about security in general, and Microsoft and the SDL in particular. One thing the author points out as important is BillG’s Trustworthy Computing memo.


IMHO, here’s why such an email is so important. If you don’t get the senior management team to buy off on this security engineering stuff, you will make no real progress. Sure, you might win a few battles along the way and squish a few bugs, but you can’t make wholesale changes and real progress unless the senior execs know there is a difficult problem to solve, and are then willing to spend time and resources on the problem.


Some of our competitors have poo-hoo’d Bill’s TwC memo as a marketing ploy. It isn’t. It’s a battle cry and a call to action.

Comments (6)

  1. Dean Harding says:

    Heh, well we all know Oracle’s track record when it comes to security. Why worry about security when you’re "unbreakable" anyway?

  2. Rory McCune says:

    Definitely.  I’d usually say that THE most important item on any security strategy for a company is senior executive buy-in, because without that you’ll be fighting competing business priorities every step of the way.

    And to start improving things you’ve got to admit you’ve got a problem, so you can see where Oracle are going wrong…

  3. Mike Andrews says:

    Amen to that!

    I’ve worked with plenty of software companies, and if you don’t get senior buy-in, then a lot of the security stuff gets wasted (if not immediately, then certainly over time).

    We all know that security is a trade-off, and when it start to impact the company/users/bottom-line then it takes strong management to keep taking the medicine.  If there’s one thing I admire about Microsoft, it’s that they started, and continue to, take the bitter pills.

  4. Alun Jones says:

    For every security policy, there’s always an employee, manager, director, or VP that believes himself or herself to be "too important to bother with that".

    When the message comes from on-high that "this policy is so important, it applies to ME", it’s a whole lot easier to get things changed for the good of the world you inhabit.

    Of course, in some fields, you also have the benefit of being able to say "this policy implements such-and-such a regulation, and if you fail to follow it, you will go to jail".

  5. Jonathan says:

    <blockquote>

    We all know that security is a trade-off, and when it start to impact the company/users/bottom-line then it takes strong management to keep taking the medicine.  If there’s one thing I admire about Microsoft, it’s that they started, and continue to, take the bitter pills.

    </blockquote>

    I hear you there, Mike. Not only has Microsoft accepted the trade-off, though, they are producing better products because of it. SQL Sever is just one example and I’m sure we’re going to see improvements with Office 2007 and Vista’s vulnerability rates as well. I can hardly wait until Jeff and Michael have blog posts announcing that "Longhorn" (or whatever it is eventually named) has just finished its first year of service with no vulnerabilities. I bet you can’t find anyone who would have even dreamed that about Server 2003, even though it is a much improved piece of software.

  6. [Default] Spotlight on: Visual Studio Team System for Database Professionals Visual Studio 2005 Team