Microsoft Security guru Michael Howard gave a spirited defense of Jeff Jones' research and had one big message: Microsoft has admitted it has security problems. What about the rest of the industry?
Give Howard props for passion--his post displays a lot of it.
First, he notes that Jones' vulnerability counts aren't perfect, but they're the best metric we have. From there he proceeds to deliver a few choice quotes. Among them:
- Let's go back to Jeff's recent analysis. Cover up the Mac OS X and Linux stats for a moment so you can only see the Windows XP SP2 and Windows Vista bars. Windows Vista has had fewer security vulnerabilities than Windows XP SP2. Conventional wisdom (which is often wrong, especially when it becomes urban legend) tends to suggest that the more lines of code you have the more bugs you have. That might very well be true, and Windows Vista is certainly larger than Windows XP SP2; yet right now, we are on track for an approximately 50% reduction in vulnerabilities compared to Windows XP SP2. Think about that figure for a moment: about a 50% reduction (and that does not account for the reduction in vulnerability severity) despite the increase in code size.
- The reason you're seeing a reduction in vulnerabilities across major Microsoft products is simple:
Microsoft recognized it needed to improve security. Bill said so (as did the rest of senior management) Our group swung into action and helped the rest of the company come up to speed on security issues. The Microsoft development processes changed to adopt the SDL
- Referring to Ubuntu and Mac OS X Howard wrote:
How many people involved in the development of these other products have you heard say, "Wow, we have a lot of security bugs, we really should do something systematic to fix this problem." I'll be very happy to be proved wrong, but all I hear is crickets. I see no-one else in the industry standing up and saying, "Let's fix this."
I just hear emotion, excuses and dogma.
Is Howard biased? Sure he is. But he may also have a point. Funny how a message delivered without Jones' baggage is more effective.