is this wrong?
Microsoft’s Many Eyeballs and the Security Development Lifecycle
http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyebal...
On Tue, 2010-02-16 at 08:33 +0200, cornel panceac wrote:
is this wrong?
Microsoft’s Many Eyeballs and the Security Development Lifecycle http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyebal...
"In product after product, Microsoft continues to ship fewer vulnerabilities than our competitors. Look at the results from Jeff Jones blog: http://blogs.technet.com/security/. Jeff is a Microsoft guy, of course, and thus not an entirely impartial source."
*exhales coffee at high velocity*
The issues with Jeff Jones' posts are well-known, and this kind of thing is exactly why I wish he'd stop making them. I think Jeff's an interesting guy who genuinely has good intentions in what he does, but the problem is his posts then get used for simple-minded 'ours is bigger than yours, la la la' crap like this, which I doubt Jeff really intended.
Aside from that, the correct answer to the question is "it's impossible to know", because Microsoft will never actually give you a straightforward answer to the straightforward question "who exactly is involved in ensuring the correctness and security of Microsoft's code, and how do they do this?" They just expect us to take long-on-bluster, light-on-facts blog posts like this as gospel and trust that they have everything under control. Which is the advantage (as far as they're concerned) as the disadvantage (as far as others are concerned) of the proprietary model.
His conclusion is simply off, too. "But the many-eyeballs epithet is an implicit assertion that code review is the only thing that matters" simply isn't really the case. Or if it is, it's a straw man. No matter what ESR wrote in a single-topic piece nearly a decade ago, I don't know of anyone actually involved in open source security who believes that all anyone needs to do is assert Many-Eyes-Code-Review to make their code magically safe. So either Shawn is cynically misrepresenting the open source security community, or he genuinely - but mistakenly - believes that's the case.
On 02/16/2010 11:45 AM, cornel panceac wrote:
that's exactly what i thought. but, leaving this aside, how can we use this kind of articles to improve our testing/quality control/programming?
By pandering to the fears of the idiot masses?
Sorry... no.
Our best option is to simply ignore the idiots who write such lite-on-facts crap and continue with what we've always done.
There is, literally, no point in pandering to the idiots... all you'll wind up with is more idiots.
Lyos Gemini Norezel