Joe Klein | 15 Apr 20:42 2001

RE: Users slam Microsoft Security Analyser


I disagree. Security starts with stable hardware and physical location.
Next is a secure OS model and coding practices within the OS. Next, is
secure coding practices at the applications layer. Lastly, the systems
are managed my trained and qualified Sys Admin with some security
knowledge. Note that is referred to as "Defense in Depth". 

Now let's begin our review of Microsoft.

1. Sales people sell the hardware and software. Microsoft trains the
Sales people both at hardware and software companies to sell their
product. The sales people are commissioned to sell as many 'boxes' as

2. Software developers designed the Microsoft OS's and applications.
They were trained by Sr. Software Developers at Microsoft to code in a
specific way.

3. Microsoft provides training to Project Managers and Software
developers in the field to program the Microsoft way. Note:  I have
attended one such course last year. Security was not discussed and not
even part of the Microsoft Development model. When I mentioned security,
I was told that 'security handled by the OS'. Also note that the
instructor was from Microsoft Professional Services and not a

4. Microsoft System Administrators attend Microsoft certification
classes to learn how to best manage the Microsoft servers. Microsoft
teaches 2 classes on security. Upon attending the class, I realized
(Continue reading)