Making Progress in Security? A Personal View


I don’t normally comment on security issues, mostly because it’s not my specialist subject. It’s fair to say though that our record hasn’t always been admirable in years gone by, as Slashdot and others gleefully point out. But sometimes perception starts to overtakes reality and comments that are no longer justified start to take on a life of their own.


I saw one statistic that shocked me this afternoon though. Windows Server 2003 has been released for a whole year now. How many vulnerabilities do you think we’ve had to patch in IIS 6.0 over that time? Check out the answer for yourself by visiting the TechNet security centre and selecting “Internet Information Services 6.0” from the drop-down list. I often hear developers say that Apache is far more secure, but is it?


Don’t get me wrong – I’m not for a moment trying to suggest we’ve solved the problem, or that we’re in any way complacent. I know we’ve got a huge amount of work to do before we can truly stand up with our heads high. We are deadly serious about getting this right. But perhaps we’re not quite as bad as the industry perception suggests…


Comments (6)

  1. Anonymous says:

    There is one thing that still bothers me..

    Microsoft still not fixing security issues fast enough:

    http://www.eeye.com/html/Research/Upcoming/index.html

    http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatched/index.html

  2. Anonymous says:

    I think the important thing is that most of the security problems are very simple; buffer overruns or something similar. I would be much more worried, if the problems were on the architecture/software design side. Simple typos are easy to fix and eventually there will be libraries that are likely to prevent them from causing trouble.

  3. Anonymous says:

    <Check out the answer for yourself by visiting the TechNet security centre and selecting "Internet Information Services 6.0" from the drop-down list. I often hear developers say that Apache is far more secure, but is it?>

    Regardless of which MS product you choose on that site – it still brings up a blank list. Something tells me that simply can’t be right 🙂

  4. Anonymous says:

    Piyush, I definitely don’t get that – do a search for Windows NT 4.0 for example and see a fairly large number of patches 🙂

    Juha, I quite agree: it’s a matter of design and then of process.

    Tim

  5. Anonymous says:

    Aviv, I think this article highlights at least some good reasons why we don’t always release patches "on time":

    http://www.computerworld.com/printthis/2004/0,4814,92037,00.html

    You might have noticed that we’ve moved to a monthly cycle of releases to help administrators plan for the quick implementation of security patches.

    Interested in your thoughts…

    Tim