Microsoft's Michael Howard: Sure we have security problems, but we're fixing em

Summary:Microsoft Security guru Michael Howard gave a spirited defense of Jeff Jones' research and had one big message: Microsoft has admitted it has security problems. What about the rest of the industry?

Microsoft Security guru Michael Howard gave a spirited defense of Jeff Jones' research and had one big message: Microsoft has admitted it has security problems. What about the rest of the industry?

Give Howard props for passion--his post displays a lot of it.

First, he notes that Jones' vulnerability counts aren't perfect, but they're the best metric we have. From there he proceeds to deliver a few choice quotes. Among them:

  • Let's go back to Jeff's recent analysis. Cover up the Mac OS X and Linux stats for a moment so you can only see the Windows XP SP2 and Windows Vista bars. Windows Vista has had fewer security vulnerabilities than Windows XP SP2. Conventional wisdom (which is often wrong, especially when it becomes urban legend) tends to suggest that the more lines of code you have the more bugs you have. That might very well be true, and Windows Vista is certainly larger than Windows XP SP2; yet right now, we are on track for an approximately 50% reduction in vulnerabilities compared to Windows XP SP2. Think about that figure for a moment: about a 50% reduction (and that does not account for the reduction in vulnerability severity) despite the increase in code size.

  • The reason you're seeing a reduction in vulnerabilities across major Microsoft products is simple:

Microsoft recognized it needed to improve security. Bill said so (as did the rest of senior management) Our group swung into action and helped the rest of the company come up to speed on security issues. The Microsoft development processes changed to adopt the SDL

  • Referring to Ubuntu and Mac OS X Howard wrote:

How many people involved in the development of these other products have you heard say, "Wow, we have a lot of security bugs, we really should do something systematic to fix this problem." I'll be very happy to be proved wrong, but all I hear is crickets. I see no-one else in the industry standing up and saying, "Let's fix this."

I just hear emotion, excuses and dogma.

Is Howard biased? Sure he is. But he may also have a point. Funny how a message delivered without Jones' baggage is more effective.

Topics: Microsoft, Security, Windows

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.