Microsoft's Report Card

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,77462,00.html

By CAROL SLIWA 
JANUARY 13, 2003
Computerworld

Grades ranged from B+ to D- when Computerworld asked IT managers, 
analysts and security professionals to rate Microsoft's progress on 
its Trustworthy Computing initiative during the past year. Excerpts 
follow: 

* Charles Emery, senior vice president and CIO, Horizon Blue Cross 
  Blue Shield, Newark, N.J.

Grade: B

Reason: "The automatic updates within the operating system are helpful
and timely. Anything that receives as much focus as Microsoft is
giving this issue is bound to improve, but sadly, there are people who
are constantly trying to find new ways to break in."


--------------------------------------------------------------------------------

* Paul Lanham, senior vice president and CTO, Jones Apparel Group, 
  Bristol, Pa.

Grade: D

Reason: "In the short term, I wouldn't give Microsoft high marks for 
now focusing on security issues that should have been embedded in 
their development process to begin with. They have a lot of history to 
deal with in the short term. Of course, it's easy to criticize their 
current state, but they at least get a good grade for recognizing the 
current reality that their market position could erode if basic 
measures in this area are not undertaken."


--------------------------------------------------------------------------------

* Andre Mendes, chief technology integration officer, the Public 
  Broadcasting Service, Alexandria, Va.

Grade: B+

Reason: "On one side, they have obviously identified a lot of the 
problems that existed with their legacy environments and have 
aggressively addressed them. On the other side, there were a couple of 
occasions where they still reverted to minimizing the criticality of 
some of the holes."


--------------------------------------------------------------------------------

* Russ Cooper, security consultant, TruSecure Corp., Herndon, Va.

Grade: D-

Reason: "In my opinion, Microsoft hasn't made any perceivable progress 
in the last 12 months with respect to security. The security bulletin 
process has been up and down. Their responsiveness has been good and 
bad. Windows Update has been augmented by a lame sister known as 
Software Update Services."


--------------------------------------------------------------------------------

* Jason Fossen, a SANS Institute lecturer and president of Fossen 
  Networking & Security, a Windows security consultancy.

Grade: B+

Reason: "Never before have Microsoft's future profits been so at risk 
by the security or insecurity of their products. Microsoft's entire 
XML/SOAP/.Net project to make the Web services business model a 
reality will sink if IT decision-makers believe it is insecure. 
Microsoft is betting the farm on .Net Web services; hence, they're 
motivated to shape up, and so far, they're following through."


--------------------------------------------------------------------------------

* Marc Maiffret, co-founder and chief hacking officer, eEye Digital 
  Security, Aliso Viejo, Calif.

Grade: B

Reason: "At least when Microsoft makes a claim that they are doing 
something about security, they are making a little bit of effort. I 
wouldn't say it's enough to where it needs to be. But the effort 
they're putting into it is far more than other companies out there. 
I'd give almost every software company out there an F."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.