Demand Better, or You'll Get Worse

Since 2002, when Microsoft launched the Secure Windows Initiative (SWI) and the Trustworthy Computing program, the company has invested a huge amount of money in security. This investment has driven changes in Microsoft's internal development and testing processes, its patch release and test schedules, its customer communications, and the functionality included in its products. These changes have been transformative, and they've upset more than a few applecarts in Redmond. Why did Microsoft do this?

Because you demanded it. The people who pay Microsoft good money for its products made it clear that they wouldn't put up with half measures and that they expected Microsoft to take security more seriously. So, Microsoft made some deep changes to the way it does business, and now it's reaping the rewards. Analysts, the press, and customers all agree that Microsoft has dramatically improved its security posture and the security quality of its products. (If you don't believe me, go to and look at the number of security bulletins for Windows Server 2003 and Windows XP compared with any of Microsoft's competitors.)

So, what's the big deal? No one else is copying Microsoft, that's what. That tells me two things: First, all the folks who said that vendors won't take security seriously until customers forced them to do so were right. Second, no one is holding other companies' feet to the fire.

Security researcher David Litchfield wrote an incendiary letter last week titled "Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers" ( ). In it, he cites the considerable difference between what Oracle says about security (remember the company's laughable "Unbreakable" campaign?) and what it actually does. Here's an excerpt:

"As an example of this, Alert 68 attempts to fix some security holes in some triggers; the flaws could allow a low privileged user to gain SYS privileges--in other words gain full control of the database server. The example exploit I sent to Oracle contained a space in it. Oracle's fix was to ignore the user's request if the input had a space. What Oracle somehow failed to see or grasp was that no space is needed in the exploit. This fix suggests no more than a few minutes of thought was given to the matter. Why did it take 8 months for this? Further, how on earth did this get through QA \[Quality Assurance\]? More, why are we still waiting for a proper fix for this?"

The answer to those questions is simple: Oracle's customers aren't yelling loud enough. Before this column turns into an extended Oracle- bashing session, let me point a finger at a different company, one whose products are well known and widely deployed in the Windows world: VERITAS Software, now part of Symantec. In the past 3 months, researchers have found and publicized two major security flaws in VERITAS Backup Exec and VERITAS Storage Exec. The good news is that VERITAS acted quickly to release fixes, but the underlying cause of these bugs appears to be sloppy coding in Backup Exec 8.x; those particular bugs never should have been included in the current 10.x products. However, in the absence of loud shouting from customers, VERITAS will probably continue to follow the traditional model of reacting to vulnerability disclosures by releasing patches. Many more examples exist--Cisco Systems, Red Hat Software, Apple Computer, and other vendors have suffered similar embarrassments throughout the year.

What Symantec, Oracle, Apple, and every other vendor in the IT market has to realize is that customers are unhappy with the current state of affairs. Microsoft found that out because it spent a lot of time and money surveying customers to find out how it could improve.

If the vendors whose products you depend on ask you what you think, tell them you demand better security efforts. If they don't ask, tell them anyway. Tell your sales reps. Tell other administrators. Tell your C-level executives. Tell the press. Tell me. Tell anyone who will listen. This might seem like a needless hassle, and perhaps it is. But if you don't demand better security, history clearly shows that you won't get it.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.