Subject: Re: Microsoft: Closed source is more secure
From: Ben_Tilly@trepp.com
Date: Wed, 25 Apr 2001 10:07:38 -0400


Keith Bostic quotes:
> SAN FRANCISCO--The head of Microsoft's security response team argued
> here Thursday that closed source software is more secure than open
> source projects, in part because nobody's reviewing open source code for
> security flaws.
>
> "Review is boring and time consuming, and it's hard," said Steve Lipner,
> manager of Microsoft's security response center. "Simply putting the
> source code out there and telling folks 'here it is' doesn't provide any
> assurance or degree of likelihood that the review will occur."
>
> The comments, delivered at the 2001 RSA Conference, were a challenge to
> one of the tenets of open source, that 'with many eyes, all bugs are
> shallow.'
>
> "The vendor eyes in a security review tend to be dedicated, trained,
> full time and paid," Lipner said.
[...]

From a vendor's eyes, security reviews are a major cost center.

In the real world things that get labelled "costs" quickly migrate to
the bottom of the corporate rung on priorities.  The gut reaction in
virtually any business is to try to find ways to not pay costs, but to
pass them on to someone else.  Security is no different, which is why
software companies over time have migrated the legal costs of
inadequate security to consumers, and then quietly moved it fairly low
on their priority scale.

In this respect Microsoft is one of the worst offenders.

I cannot pretend to be a student of finance or history, but without
some external motivation (be that legal, a certification, active
consumers), this is going to be the inevitable reaction of any
corporation.

Cheers,
Ben