Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
Everything you say is true, insightful, and irrelevant.

You have accurately described Microsoft's behaviour. You have raised issues of motivation which, based on past actions, I would say that any company should think long and hard about before following the vision that Microsoft is trying to impose on the world. But it really doesn't address the points that I was trying to get at.

Sure, Microsoft has lots of good people. If security was their top priority then they should be able to do a far better job than they have done. But it isn't, and it isn't for basic business reasons. And those reasons are inherent in the current system, they would remain there no matter who was on top.

There is a simple principle from which you can understand a lot of business behaviour. A well-run business will try to divide what they do into profit centers and cost centers. Given that the business wants to make money, it will then throw money and effort into the perceived profit centers, and aim with the cost centers to do the minimum it thinks it can get away with. And if it can, it will attempt to further minimize costs by shoving those costs off to other people. This is a simple pattern, but one which applies time and again to why companies act like they do.

Now let's apply this to software. Which does security fall into, is it a profit center or a cost center? Well clearly it is a cost center. It costs money to get security right, but it is hard for people to tell how much you have so you don't get anything for it. Feature lists sell software. Security, no matter how much better it might make people's lives, doesn't.

And so this means that software companies should shortchange security. They should try to do the minimum they think they can get away with. Given the choice between having to fix problems and hiding them under the carpet, they will likely hide them under the carpet. Furthermore you should expect to see companies try to make security someone else's problem where possible.

How does this theory match with reality? Well pretty well. I need not recite a litany of complaints about companies (not just Microsoft) shortchanging security. The tendancy on the part of most companies to avoid fixing problems if they could is what lead to the full-disclosure movement, no surprises there. And as for making the problem someone else's problem, have you read the warranty disclaimers that are now standard with software? And have you looked at the kind of laws (eg the DMCA) which companies have been lobbying for?

Security is a cost center. As long as that remains the case, programmers will be under pressure to cut corners and shortchange security. And this will continue to be the case unless and until there are lemon laws which make security so much a problem for software companies that they have to get serious about it. (And then how do you write said laws so that they don't hose open source software? There are some tricky questions here...)

We can talk about Microsoft's anti-competitive behaviour some other time... :-)


In reply to Re (tilly) 2: What is the real problem here? by tilly
in thread Passport Security by tilly

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2024-03-29 11:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found