[Salon] Fielding calls MSFT sec. claim "absolute crap"

Rohit Khare Rohit@KnowNow.com
Fri, 12 Apr 2002 03:12:48 -0700

... excerpt from an article in Salon, ahem, critiquing the MSFT security =
article in the Times earlier this week.=20


PS. The most interesting part of the ballyhooed Hailstorm failure is =
that they will ell be successful at selling software licenses (damn =
old-fashioned business model!)  so all those other privacy-destroying =
multimational ogres can run their own identity services anyway :-)


Roy Fielding, a Web pioneer who helped create the Apache Web server used =
by the majority of publicly accessible Web sites (it's serving the page =
you're reading) and is now chairman of the Apache Software Foundation, =
points out that one root of Microsoft's security woes lies in its =
development process itself -- which "encourages individuals to make =
large changes to the products under deadline pressure, without adequate =
peer review of every single change at the time it is made." Open source =
works differently: "Every change that is made to the Apache code bases =
is ... posted to a mailing list where any person who wants to review =
changes can do so, in public, and the first person who identifies a =
potential security problem in a change is given instant credibility =
within the community."=20

In this view, the total number of "man-years" of security code review is =
largely irrelevant. No matter how smart Microsoft's developers may be, =
they are all part of one company's culture, and the odds are good that =
no matter how many hours they spend improving their code, they will not =
collectively be able to imagine all the myriad ways the entire universe =
of computer users -- and mischief-makers -- will attempt to break it.=20

Fielding says that Lipner's "more man-years" claim is "absolute crap. =
They probably spent more money on it, but he is misdirecting the public =
based on the theory that there are fewer open source developers per =
project than there are people per project within Microsoft. Open source =
developers are only a small subset of the people who do security reviews =
of open source code. Most open source security reviews are done by the =
hackers and security consultants that make a living from finding (and =
sometimes exploiting) security holes. They have a very strong incentive =
for publishing their findings."=20

The open-source model, in other words, allows for a kind of global =
stress-testing, peer review and transparent repair that Microsoft can =
never guarantee. Since its code is proprietary, you can only take =
Microsoft's word that it has fixed bugs and plugged security holes. And =
the next time a rogue virus takes down your company's e-mail server, all =
you can do is curse -- and wait for the company to issue a fix.=20