Essays: 2002 Archives

Should Vendors be Liable for Their Software's Security Flaws?

  • Bruce Schneier
  • Network World
  • April 22, 2002

Network security is not a technological problem; it’s a business problem. The only way to address it is to focus on business motivations. To improve the security of their products, companies – both vendors and users – must care; for companies to care, the problem must affect stock price. The way to make this happen is to start enforcing liabilities.

The only way to get many companies to spend significant resources to ensure the security of their customers’ data is to hold them liable for misuse of this data. Similarly, the only way to get software vendors to reduce features, lengthen development cycles and invest in secure software development processes is to hold them liable for security vulnerabilities in their products…

Results, Not Resolutions

A guide to judging Microsoft's security progress.

  • Bruce Schneier and Adam Shostack
  • SecurityFocus
  • January 24, 2002

Last week, Bill Gates published a company-wide memo outlining a new strategic direction for Microsoft. Comparing this to the change when the company embraced the Internet, Gates elevated security to Microsoft’s highest priority. By focusing on what he called “Trustworthy Computing,” Gates plans on transforming Microsoft into a company that produces software that is available, reliable, and secure.

“We must lead the industry to a whole new level of Trustworthiness in computing.” – Bill Gates internal memo, 15 January 2002.

Trust is not something that can be handed out; it has to be earned. And trustworthiness is a worthy goal in computing. But unlike performance goals or feature lists, progress toward it is hard to measure. How can we determine if one piece of software is more secure than another? Or offers better data integrity than another? Or is less likely to contain undiscovered vulnerabilities? How do we know if Microsoft is really committed to security, or if this is just another performance for the press and public? It’s not as easy as measuring clock speeds or comparing feature lists; security problems often don’t show up in beta tests. As longtime security experts, we’d like to suggest some concrete ways to evaluate Microsoft’s (and anybody else’s) progress towards trustworthiness. These are specific and measurable changes that we would like Microsoft to make. This is not intended to be an exhaustive list: building secure software requires much more than what we delineate here. Our goal is to provide a list of measurable recommendations, so that the community can judge Microsoft’s sincerity. Some of our recommendations are easier to implement than others, but if Microsoft is serious about security and wants to take a true leadership position, they can’t shirk any of them. Some of our changes are easier to verify than others, but it is our goal that all of them be independently measurable. In the end, the pronouncements and press releases don’t mean a thing. In security, what matters are results. If we can distill our recommendations into a single paradigm, it’s one of simplicity. Complexity is the worst enemy of security, and systems that are loaded with features, capabilities, and options are much less secure than simple systems that do a few things reliably. Clearly Windows is, and always will be, a complex operating system. But there are things Microsoft can do to make even that complex system simpler and more secure. Microsoft must focus its programmers on designing secure software, on building things right the first time…

Con: Trust, but verify, Microsoft's pledge

  • Bruce Schneier
  • CNET News.com
  • January 18, 2002

Microsoft Chairman Bill Gates should be given credit for making security and privacy a top priority for his legions of engineers, but we’ll have to wait to see if his call represents a real change or just another marketing maneuver.

Microsoft has made so many empty claims about its security processes–and the security of its processes–that when I hear another one, I can’t help believing it’s more of the same flim-flam.

Anyone remember last November when Microsoft’s Jim Allchin, group vice president, said in a published interview that all buffer overflows were eliminated in Windows XP? Or that the new operating system installed in a minimalist way, with features turned off by default? Not only did the Universal Plug and Play (UPnP) vulnerability that was found last month exploit an unneeded feature that was enabled by default, but it also was a buffer overflow…

The Case for Outsourcing Security

  • Bruce Schneier
  • IEEE Computer
  • 2002

Deciding to outsource network security is difficult. The stakes are high, so it’s no wonder that paralysis is a common reaction when contemplating whether to outsource or not:

  • The promised benefits of outsourced security are so attractive. The potential to significantly increase network security without hiring half a dozen people or spending a fortune is impossible to ignore.
  • The potential risks of outsourcing are considerable. Stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT, show that selecting the wrong outsourcer can be a costly mistake…

Sidebar photo of Bruce Schneier by Joe MacInnis.