PCMech Forums - View Single Post - Is Microsoft Windows software inherently unsecure?

doctorgonzo · 10-16-2003, 10:13 AM

I tend to think so, but I don't think it is limited to just M$. To make software secure, security has to be included from the very beginning. Security is part of the foundation; it is not something you can add on afterwards as decoration.

At this point, there is no reason for M$, or any other software company for that matter, to seriously include security in their products. For one thing, security just isn't easy to understand, nor is it particularly compelling. People may buy Windows when they see that it has "cool software for making movies!", but nobody knows what a buffer overrun is, nor do they know what that means in terms of security. Security works best in the consumer's eye when it is invisible, and you can't sell a product based on invisible features. But probably the biggest reason why software companies don't care about security is because there is no economic reason to do so. As long as software companies aren't liable for their products, they have no incentive to improve them. As soon as people start successfully suing M$ because their flaws in IIS or some other product led to a hacker stealing credit card information and ruining credit ratings, security will become more important.

Until then, I don't see things changing. Looks like I will be running Windows Update once again today.

10-16-2003, 10:13 AM	#2
doctorgonzo Professional gadfly Join Date: Jan 2002 Location: Minneapolis, MN Posts: 6,364	I tend to think so, but I don't think it is limited to just M$. To make software secure, security has to be included from the very beginning. Security is part of the foundation; it is not something you can add on afterwards as decoration. At this point, there is no reason for M$, or any other software company for that matter, to seriously include security in their products. For one thing, security just isn't easy to understand, nor is it particularly compelling. People may buy Windows when they see that it has "cool software for making movies!", but nobody knows what a buffer overrun is, nor do they know what that means in terms of security. Security works best in the consumer's eye when it is invisible, and you can't sell a product based on invisible features. But probably the biggest reason why software companies don't care about security is because there is no economic reason to do so. As long as software companies aren't liable for their products, they have no incentive to improve them. As soon as people start successfully suing M$ because their flaws in IIS or some other product led to a hacker stealing credit card information and ruining credit ratings, security will become more important. Until then, I don't see things changing. Looks like I will be running Windows Update once again today.