10 Years of Trustworthy Computing at Microsoft
Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines: Oh, you are joining a desktop company? ...
10 Reasons to migrate off Windows XP
I would like you to sit back, close your eyes and think about the year 2001. Think about how you used technology back then, how you used the Internet. Now, let’s take it a little bit further back in history and think of the year 2000. Just after we realized that the Year-2000-Problem was handled very well by the industry. How you used technology, how you used the Internet, the ...
Office 365 Becomes First and Only Major Cloud Productivity Service to Comply With Leading EU and U.S. Standards for Data Protection and Security
A long title but this was the title of the official press statement yesterday. Compliance is always a key question in the public cloud space. Therefore it is very important for us that we now achieved three things: Office 365 is compliant with EU Model Clauses, Data Processing Agreements and ISO 27001 among other standards. Office 365 is the first and only major ...
Cybersecurity–More than a good headline
A lot of governments all across the globe are working on starting, restarting or pushing their Cybersecurity initiative. What often concerns me is, that the last real headline has more impact on the strategy and the themes to be addressed than a structure or a plan or a strategy.
This made us thinking about what is needed to run a successful Cybersecurity Agenda within a country? What themes ought to be ...
The Debate on Security Metrics By Roger Halbheer, on May 20th, 2008 Recently I was sitting on a panel which was pretty heterogeneous: There was a representative from IBM (actually from former ISS), customers, a representative from the Open Source community (who actually, during his presentation always said how bad our security is) – well, and me.
In order to have some fun, the moderator wanted to bring some fire in the discussion and said: We often hear people saying that Open Source is more secure than your software model, what do you have to say on this? Well, there were so many different themes on the table which were – in my opinion – more interesting to discuss than a debate on Open Source vs. Microsoft, I actually did not want to go down that road. So, I asked the moderator back: Could you please elaborate a little bit what you mean by “more secure”.
To cut this story short, we actually had a very good discussion on how security can be achieved, what is necessary and a little bit on metrics.
Why am I raising this? Well I read a blog post this morning on our Security Development Lifecycle blog called How Secure is Secure? Where Eric Bidstrup actually raises a few very good points:
- He differentiates between Security Functional Requirements and Security Engineering Quality Requirements. If is obvious that the primary focus of SDL is the second. However, if you do good Threat Analysis, you will tackle quite a bunch of the first as well.
- And then he points out an interesting figure: Microsoft has been releasing security bulletins since 1999. Based on some informal analysis that members of our organization have done, we believe well over 50% of *all* security bulletins have resulted from implementation vulnerabilities and by some estimates as high as 70-80%. (Some cases are questionable and we debate if they are truly “implementation issues” vs. “design issues” – hence this metric isn’t precise, but still useful).
So, we could raise the debate again on the value of the “number of vulnerabilities”-metric again but I actually would rather like you to read the post.
Roger
Related posts:
- Schneier on US Customs Notebook Searches: Do not follow the rules
- The Best Security Blogs on the Web
- Security Risks of Virtualization
- 8 Dirty Secrets Of The Security Industry
- Security Pros ignoring their own message
Leave a Reply
|
|
|
